Today, 25 January 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C‑687/21, MediaMarktSaturn.
This case concerns a dispute regarding compensation for non-material damage allegedly suffered by a data subject because of the disclosure of some of his personal data to a third party due to an error made by employees of the data controller.
CJEU declared inadmissible the question on the validity of Article 82 of the GDPR on the right to compensation. This is because, contrary to the CJEU’s Rules of Procedure, the referring court had not provided any specific information enabling the CJEU to examine the validity of Article 82 of the GDPR.
More important, the CJUE ruled that, in the context of an action for compensation based on Article 82, the fact that employees of the controller have mistakenly handed over a document containing personal data to an unauthorized third party is not in itself sufficient to consider that the technical and organizational measures implemented by the controller in question were not “appropriate” within the meaning of these Articles 24 and 32.
- the right to compensation does not have a punitive function, but a compensatory one. The financial compensation based on Article 82 must make it possible to fully compensate for the actual damage suffered as a result of the breach of the GDPR;
- the seriousness of the breach of the GDPR that has caused the damage in question cannot influence the amount of damages to be awarded under the GDPR, even in the case of non-material damage, so that the amount cannot be set at a level that exceeds full compensation for such damage;
- the data subject seeking compensation under the Article 82 of the GDPR must not only prove that the provisions of the GDPR have been breached, but also that this breach has caused material or non-material damage;
- in the event that a document containing personal data has been disclosed to an unauthorized third party of whom it is established that he was not aware of them, “non-material damage” within the meaning of Article 82 of the GDPR is not constituted by the mere fact that the data subject fears that, as a result of this communication having made it possible to make a copy of the document before returning it, the data may be disseminated or even misused in the future.
The judgment of the CJEU is available here (currently available only in German and French).