Cass.Civ. - 13073/23

From GDPRhub
Revision as of 09:56, 21 June 2023 by Mg (talk | contribs) (→‎Comment)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Cass.Civ. - 13073/23
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 82 GDPR
Decided: 19.04.2023
Published: 12.05.2023
National Case Number/Name: 13073/23
European Case Law Identifier:
Appeal from:
Appeal to: Not appealed
Original Language(s): Italian
Original Source: Supreme Court of Cassation (Italy) (in Italian)
Initial Contributor: mg

The Court of Cassation held that no minimum threshold applies under Article 82 GDPR, a “marginal” damage being sufficient to claim compensation. The controller cannot rely on the fact that it subsequently brought processing into compliance with the GDPR to exclude its liability.

English Summary


A court of first instance ordered a municipality – the controller – to compensate one of its employees – the data subject – for non-material damages suffered as a consequence of an unlawful processing of personal data. In particular, the accidental publication of certain data unnecessarily affected the data subject’s reputation.

The controller appealed the decision arguing that the court of first instance granted compensation for a GDPR violation without considering whether such a violation actually harmed the data subject.


The Court of Cassation rejected the controller’s appeal.

According to the court, the right to compensation for non-material damages directly stems not only from Article 82 GDPR, but also from Article 8 ECHR and Articles 2 and 21 of the Italian Constitution.

In the first place, the court held that the right to compensation for non-material damages is not excluded by the fact that the controller subsequently brought processing operations into compliance with the GDPR.

Second, the court stressed that not every violation necessarily leads to liability under Article 82 GDPR. As a matter of fact, the violation must have entailed actual harmful consequences on the data subject. That said, it is not necessary that the harm suffered meets a minimum threshold, being subject to compensation also a “marginal” damage.

In this case, the Court of Cassation upheld the judgement of the court of first instance, as the latter considered the violation in its context and determined that type of data and factual circumstances objectively gave rise to non-material damages.


Even if this judgement dates back to a time when the CJEU had not ruled on the issue of non-material damages under the GDPR, the Italian Court of Cassation substantially rejects the idea of a minimum threshold. Traditionally, the Italian Court of Cassation accepts the idea that non-material damages should have a certain degree of seriousness to be compensated. Interestingly, in this judgement the court makes reference to that case law, but it interprets the principle of law in a slightly different way: minimum degree of seriousness means that damage does not automatically arise from any violation, regardless of its ojective consequences on the data subject (in other words, it is not "in re ipsa"). However, also "marginal" damage shall be entirely compensated. It is hard to say if this judgement is in contrast with the previous case law or it merely specifies it. What is certain is that there is no reference to an assessment concerning the emotional or psychological state of the data subject following the infringement of their data protection rights. The existence of a (marginal) damage is assessed through merely objective criteria (in this case type of data and context of the violation), i.e. through a presumption.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Civil cassation section I - 05/12/2023, no. 13073




Composed of the Distinguished Magistrates:






said the following:


on the appeal registered under no. 30023-2021 RG proposed by:

MUNICIPALITY OF (Omissis), domiciled pursuant to law in ROME, PIAZZA CAVOUR

at the REGISTRY of the COURT of CASSATION, represented by e

defended by the lawyer XXX,

- applicant -


S.G., domiciled ex lege in ROME, XXX at the

CANCELERY of the COURT of CASSATION, represented and defended

by the lawyer XXX;


against the JUDGMENT of the COURT of PISA n. 1204-2021 filed on


Having heard the report carried out in the council chamber on 04/19/2023

by Councilor XXX

Case facts

The Municipality of (Omissis) has filed an appeal in cassation against the sentence with which

the Court of the same city sentenced him to pay compensation for the damages caused to S.G., his own employee, due to the unlawful processing of personal data.

The S. resisted with counterclaim and memory.

Reasons for the decision

I. - The appeal is entrusted to the following grounds:

(i) violation or false application of articles 24, 29 and 82 of Regulation (EU) 2016-679,

CD. GDPR, for having the court ignore the circumstances that had led to the offence

processing of the personal data of the interested party, and the damage is considered in re ipsa for the mere fact

that there had been data processing in the organization that did not comply with the provisions of the law: yes

claims to have been peacefully demonstrated in court what the complex system was

of privacy management adopted by the municipality of (Omitted), with a detailed description of

security measures aimed at guaranteeing data protection in the context of management

information technology of document flows and the publication of deeds and documents in the praetorian register,

area in which the accident occurred; hence the ostension on the praetorian register of the municipality of the

personal information of the employee had occurred by accident, distraction or human error, not

foreseeable, nor avoidable in the future, of an operator authorized to process e

adequately educated; operator who, in charge of taking care of the IT process of

generation of the accounting regularity visa and to upload it to the management system

documentary attached to the anonymized determination, had inadvertently

"checked", the "publish" field corresponding to the visa itself, which it should have

remain for internal use only; this incident had been remedied in just over 24 hours,

so that a damage attributable to the municipality should have been deemed non-existent

consequence of the accidental posting of the visa in the praetorian register;

(ii) violation or false application of the art. 2050 of the Civil Code, because the related damage can never

be considered in re ipsa, and the plaintiff had not provided proof in the judgment on the merits

any of the damage suffered as a result of the publication in the praetorian register of a visa of

accounting regularity containing your personal data for just over a day;

(iii) nullity of the sentence for apparent reasons due to an illogical evaluation of the

assumptions of fact, the court having affirmed that the damage as in re ipsa to be

personal data have been disclosed in violation of the principles for data processing, thus demonstrating that they confuse the concept of data violation with that of damage that may

to be derived from it;

(iv) failure to examine a decisive fact regarding the content of the Guarantor's communication

for the protection of personal data, which had only been considered as an acknowledgment, from

part of the supervisory authority, of the waiver of the complaint by S., instead of how

definition of the merits of the complaint, with a declaration of the non-existence of any violation in the conduct

of the municipality such as to make it necessary to adopt measures

college students.

II. - The appeal, the reasons for which can be examined jointly by connection, is in

partly inadmissible and partly unfounded.

III. - From the judgment we learn that the unlawful treatment had been integrated into the following

way: on 12/8/2020 the municipality of (Omissis) had published on its institutional website a

determines its attachment for a certain amount of an employee's salary

municipal, such that the institution had undertaken to pay one fifth of the salary a

favor of the creditor company; the publication of the data had been omitted in the determination

of the debtor, but in the attached accounting note the express indication of the data had been

instead maintained, and the data were thus finished, albeit for little more than a day, in the register

praetorium online of the municipality itself.

In that situation the court concluded that the treatment was anyway

(objectively) occurred in violation of the GDPR, and that he was moreover aware of this

the same entity, which had precisely admitted - as well as admitted in

here - to have disclosed the non-extensible "reputational" data through publication

by virtue of the principles of necessity and minimization established by the law.

IV. - Having said that, the fact that this occurred by mistake is irrelevant

human, distraction or otherwise, as the appellant insists for the purposes of the present first submission,

for the elementary reason that the data controller is also liable for the fact

culpable of its employees, as moreover already sanctioned in general by the art. 2049 of the civil code For

all matters of civil liability.

V. - The fundamental point is that the non-pecuniary damage that can be compensated is in these cases determined by an infringement of the fundamental right to the protection of personal data

constitutionally protected (Const., articles 2 and 21 and article 8 of the ECHR).

The relevance of the compensation remedy is confirmed by the GDPR, whose art. 82 establishes that

"anyone who suffers material or immaterial damage caused by a violation of the

this regulation has the right to obtain compensation for damages from the owner of the

treatment or by the controller".

This means that the injured party following the processing of his data in

violation of the GDPR and national transposition rules (see Legislative Decree no. 101

of 2018 updating of the privacy code) can obtain compensation for any

injury to him, even if the injury is minor; and the holder is liable for the damage

caused by the treatment in violation of the regulation regardless of the possible

competition of the specific manager.

YOU. - The concept of damage is moreover specified in Recital 146 of the GDPR, second

which "The controller or processor should compensate i

damage caused to a person by a treatment that does not comply with this regulation

but should be relieved of that liability if it proves that the harmful event

it is in no way attributable to him".

It also states that the concept of damage "should be interpreted in the sense

side in the light of the jurisprudence of the Court of Justice in such a way as to reflect

fully the objectives of this Regulation"; so that "the data subjects should

obtain full and effective compensation for the damage suffered".

VII. - The recitals of an EU Regulation or a Directive perform the function of

explain the reasons for the regulatory intervention and integrate the "concise motivation", such as

also clarified by the Joint Practical Guide of the European Parliament, the Council and the

Commission for the drafting of legislative texts of the European Union of 2015.

That is, they do not contain statements of a normative nature (see Cass. Section 5 n. 7280-22).

And yet they are in any case non-secondary elements in terms of interpretation of the

related norms.

The adaptation of the national system to the rules of the GDPR therefore requires us to clarify the meaning of some previous positions expressed by this Court with regard to art. 15 of

privacy code.

It has been said in the validity of the art. 15 that the damage cannot be said in re ipsa (see Cass. Section 6-1

no. 17383-20, Cassation Section 3 no. 16133-14), and this is certainly to be maintained.

However, the meaning of the affirmation cannot be translated otherwise than in this: that the law

the compensation does not escape the verification of the seriousness of the injury and the seriousness of the


This is because also for this right there is a balance with the principle of solidarity ex

Constitution, art. 2, of which minimal lesion tolerance is a precipitate.

The meaning of the statement, after the GDPR, is offered by the observation that it is not such as

determine an effective infringement of the right the mere violation of the provisions set forth

subject of treatment, but instead that violation that actually offends the scope is

effectiveness of the right to data privacy.

Given then that the related assessment integrates the question of fact and is referred to the

trial judge, it may be observed that in the present case the court did not fail to

grasp the evidence of the profile.

Although mentioning the category of damage in re ipsa, the court carried out

the assessment considering that in fact a damage had been integrated by the disclosure of the data

by type and context, although only for a limited time. And so much emerges implicitly

from the description of the material event and from its having matured in a specific area

temporal and social-work.

VIII. - It follows that all the justifications provided by the municipality of (Omissis) in the first reason

are not relevant, given that the illegality of the treatment attributable to the owner has never been

disputed (nor, for the considerations set out, is it in the least contestable), and the elements

indicated as a basis for the remaining reasons are all indecisive and inadmissible

aimed at subverting the judgment of fact.

IX. - Moreover, it should be added that it could never be found in a favorable sense to the

what was specified in the appeal regarding the provision of the Guarantor is common.

The provision followed the waiver of the complaint made by the interested party. The crucial passage is reported in the appeal, in which it was recognized that "the

document was published for a mere clerical error and for a limited period e

the administration, when it became aware of the error, put it

immediately put in place all necessary measures to remove the document".

Well, even regardless of having been the reasoned decision to conclude

the examination of the complaint "without the adoption of collegial measures", for the sole purpose, therefore, of the

administrative judgment relevant there, naturally without prejudice to the rights of the injured party,

it remains essential that the same provision of the Guarantor supports the assessment of

responsibility of the data controller, where duly parameterized to the GDPR.

Indeed, the data controller must in any case compensate for the damage caused to a person

"from a treatment that does not comply with this regulation", and can be exempt from

such a responsibility not simply if it is activated (as its duty) for

remove the unlawfully exposed data, but only "if it proves that the harmful event did not

is in no way attributable".

X. - In conclusion, the appeal must be rejected.

The following principles of law must be affirmed:

- based on the general discipline of Regulation (EU) 2016.679, cd. GDPR, the owner of the

processing of personal data is always required to compensate for the damage caused to a person

from a treatment that does not comply with the regulation itself, and can be exempt from

liability not simply if he took steps (as his duty) to unlawfully remove the data
exposed, but only "if he proves that the harmful event is not his in any way


- the exclusion of the principle of damage in re ipsa presupposes, in these cases, proof of

seriousness of the injury resulting from the treatment; this means that it may not determine the

damage the mere violation of the formal prescriptions on the subject of data processing, while

that violation which concretely offends the scope always leads to compensation

effective right to privacy. Expenses follow the loss.


The Court rejects the appeal and orders the appellant to pay the costs of the proceedings, which it settles at EUR 2,200.00, of which EUR 200.00 for disbursements, plus accessories and lump-sum reimbursement of expenses

general in the maximum percentage of the law.

Provides that, in the event of dissemination of this ordinance, the personal details e are omitted

other significant data.

Pursuant to the D.P.R. no. 115 of 2002, art. 13, paragraph 1 quater, acknowledges the existence of

preconditions for the payment, by the appellant, of the additional amount by way of

unified contribution equal to that relating to the appeal, if due.

Thus decided in Rome, in the council chamber of the first civil section, on 19 April 2023.

Filed in the Registry on 12 May 2023