DATA PROTECTION
EU Court of Justice: liability of the data controller for damage caused to third parties by its employee in breach of the data protection instructions received.
The EU Court of Justice provided the correct interpretations of Articles 82, 83 and 29 of the GDPR in the case of a German lawyer who had complained to a company about the continued receipt of unsolicited communications for marketing purposes even after his consent had been withdrawn.
The data subject therefore filed a lawsuit against the company for damages for the processing of personal data in which the company claimed that the breach was attributable to an employee who had infringed the strict protection system implemented by the company to avoid unsolicited calls and the instructions on processing given under Article 29 of the GDPR. When asked by the German national court about the interpretation of Article 82 of the GDPR regarding the exemption of the controller from liability, the CJEU on this point replied that Article 82 of the GDPR must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation. If that were the case, the damaged party would have to take direct action against the infringer, depriving him of his right to compensation for the damage.
The Court points out that the circumstances of the exemption from liability provided for in Article 82(3) of the GDPR must be strictly limited to those in which the data controller is able to prove, on its part, that the damage was not attributable. Therefore, in the case of a personal data breach committed by a person acting under its authority, that controller may only benefit from this exemption if it proves that there is no causal link between the possible breach of the data protection obligation and the damage suffered by the data subject (in other words: the breach by the employee must be in pursuit of his own purposes and unconnected with the tasks and instructions to which he is subject).
The EU Court also sets out further important principles on the subject of compensation for damage caused by treatment, including the following:
(1) an infringement of provisions of the GDPR which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of section 82 GDPR, irrespective of the degree of seriousness of the damage suffered by that person and the proof thereof;
(2) must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.
The data subject therefore filed a lawsuit against the company for damages for the processing of personal data in which the company claimed that the breach was attributable to an employee who had infringed the strict protection system implemented by the company to avoid unsolicited calls and the instructions on processing given under Article 29 of the GDPR. When asked by the German national court about the interpretation of Article 82 of the GDPR regarding the exemption of the controller from liability, the CJEU on this point replied that Article 82 of the GDPR must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation. If that were the case, the damaged party would have to take direct action against the infringer, depriving him of his right to compensation for the damage.
The Court points out that the circumstances of the exemption from liability provided for in Article 82(3) of the GDPR must be strictly limited to those in which the data controller is able to prove, on its part, that the damage was not attributable. Therefore, in the case of a personal data breach committed by a person acting under its authority, that controller may only benefit from this exemption if it proves that there is no causal link between the possible breach of the data protection obligation and the damage suffered by the data subject (in other words: the breach by the employee must be in pursuit of his own purposes and unconnected with the tasks and instructions to which he is subject).
The EU Court also sets out further important principles on the subject of compensation for damage caused by treatment, including the following:
(1) an infringement of provisions of the GDPR which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of section 82 GDPR, irrespective of the degree of seriousness of the damage suffered by that person and the proof thereof;
(2) must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.
