DATA PROTECTION
EU Court of Justice: an award of damages for processing under Article 82 of the GDPR does not necessarily have to be aggravated by a simultaneous breach of other regulations although the judge remains free to decide on a case-by-case basis.
The case concerned some German taxpayers who had approached an accountant for their tax returns. The latter had sent the paper package by mail, but to the wrong address, leading to a situation whereby unauthorised third parties had gained access to the taxpayers' tax data who then sued the accountant for damages.
To the various questions posed by the referring court, the CJEU replied as follows.
First, a breach of the GDPR is not sufficient in itself to establish a right to compensation under Article 82. The data subject must also prove the existence of damage caused by that breach, without, however, that damage having to reach a certain degree of severity.
Secondly, the Court clarifies that a person's fear that his or her personal data, due to a breach of the GDPR, have been disclosed to third parties, without it being possible to prove that this was actually the case, is sufficient to give rise to a right to compensation provided that this fear, with its negative consequences, is duly proven.
Finally, in order to determine the amount due by way of compensation for a damage based on Article 82 of the GDPR
- the criteria for determining the amount of administrative fines laid down in Article 83 of the GDPR must not be applied mutatis mutandis;
- the right to compensation should not be given a deterrent function;
- no account is to be taken of simultaneous breaches of national provisions relating to the protection of personal data which do not have the object of clarifying the rules of the GDPR.
To the various questions posed by the referring court, the CJEU replied as follows.
First, a breach of the GDPR is not sufficient in itself to establish a right to compensation under Article 82. The data subject must also prove the existence of damage caused by that breach, without, however, that damage having to reach a certain degree of severity.
Secondly, the Court clarifies that a person's fear that his or her personal data, due to a breach of the GDPR, have been disclosed to third parties, without it being possible to prove that this was actually the case, is sufficient to give rise to a right to compensation provided that this fear, with its negative consequences, is duly proven.
Finally, in order to determine the amount due by way of compensation for a damage based on Article 82 of the GDPR
- the criteria for determining the amount of administrative fines laid down in Article 83 of the GDPR must not be applied mutatis mutandis;
- the right to compensation should not be given a deterrent function;
- no account is to be taken of simultaneous breaches of national provisions relating to the protection of personal data which do not have the object of clarifying the rules of the GDPR.