In its recent ruling issued in April 2024, the European Court of Justice (ECJ) in case C-741/21, addressed the liability for "non-material damage" resulting from GDPR infringements and the question of whether a controller can be held accountable for damages caused by errors made by individuals under its authority.
First, the ECJ reiterated previous case law which states that an infringement of a GDPR provision which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of Article 82(1) GDPR, irrespective of the degree of seriousness of the damage suffered by that person but rather three cumulative conditions must be met: (a) breach of a GDPR provision (b) the existence of damage (c) a causal link between the breach and the damage.
The Court then examined whether Article 82 of the GDPR must be interpreted as meaning that it is sufficient for the controller, in order to be exempted from liability to claim that the damage in question was caused by the failure of a person acting under his authority. It should be recalled that Article 82 of the GDPR states, in paragraph 2 thereof, that any controller involved in the processing is to be liable for the damage caused by processing which infringes that regulation and, in paragraph 3 thereof, that a controller is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
The ECJ firstly noted that, the persons acting under the authority of the controller, such as its employees, who have access to personal data, may, in principle, process those data only on instructions from that controller and in accordance with those instructions. Secondly, under Article 32(4) the controller is to take steps to ensure that any natural person acting under the authority of the controller, does not process them, except on instructions from the controller, unless he or she is required to do so by EU or Member State law. Lastly, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the ECJ held the controller cannot avoid liability under Article 82(3) of the GDPR simply by relying on negligence or failure on the part of a person acting under his or her authority.
Implications for Controllers and Data Subjects
This strict interpretation by the ECJ underscores the accountability of controllers in managing data protection within their organizations and enhances protection for individuals against data misuse. Controllers are urged to enforce rigorous data protection policies, train employees, and ensure their adherence to prevent breaches.
For data subjects, the ruling reinforce their right to seek compensation for non-material damages, contingent upon demonstrating a direct link between the GDPR breach and the actual damage.
You can contact us for more information: info@2e-law.com
Comments