The General Data Protection Regulation (GDPR) not only ensures the protection of personal data, but also offers data subjects the opportunity to claim damages in the event of breaches. A recent ruling by the European Court of Justice (ECJ) sheds light on important questions regarding the liability of data controllers, especially employers*, in the event of employee errors.
Intangible damage: Requirements and proof
According to Art. 82 GDPR, a person is entitled to compensation if they have suffered material or non-material damage as a result of a breach of the GDPR. However, the infringement alone is not sufficient to automatically receive compensation. The ECJ clarified that non-material damage must exist and be proven by the data subject. A mere breach of the GDPR is not sufficient to assert a claim without proof of specific damage.
This is particularly relevant for companies that frequently fall under the GDPR assessment due to the processing of customer data. Entrepreneurs should ensure that processes and documentation for GDPR compliance are in place and applied in order to avoid legal disputes.
Companies are generally liable for data protection breaches by employees
Another key point in the ruling concerns the question of exemption from liability for the controller. Art. 82 para. 3 GDPR allows controllers to be exempted from liability if they can prove that they are “not responsible in any way” for the damage. The ECJ ruled that relying on the misconduct of employees or other subordinates (in accordance with Art. 29 GDPR) is not sufficient to avert liability. Businesses must therefore ensure that internal instructions are clearly and comprehensively documented and regularly reviewed.
In practice, this means that Companies must not only implement training and security measures, but also be able to prove that they have taken all appropriate measures to prevent GDPR violations.
Assessment of damages: GDPR criteria not applicable to fines
Entrepreneurs often ask themselves what criteria are used to determine the amount of compensation. Art. 83 GDPR contains criteria for setting fines for GDPR infringements. However, the court clarified that these criteria may not be used to assess GDPR damages. The calculation is based on national law and is intended to ensure full compensation for the actual damage suffered without being punitive in nature.
In the event of infringements, companies are therefore well advised to check at an early stage whether claims for damages are justified in full or whether they can be reduced within the scope of the actual damage.
Multiple violations: Individual cases and no summation of penalties
Another interesting aspect concerns the question of whether multiple infringements in the same processing operation can lead to an increase in damages. The ECJ ruled that in cases of multiple infringements of the GDPR, there is no automatic increase in damages. Instead, the specific damage is assessed, regardless of the number of infringements.
For entrepreneurs, this means that in the event of breaches, comprehensive risk management should be used to cover every type of potential damage. In particular, processes should be set up to limit damage immediately in order to minimize subsequent disputes regarding the amount of compensation.
Conclusion for companies: Prevention and clear processes are crucial
The ECJ ruling clarifies the requirements and evidence that companies must observe with regard to GDPR violations and possible claims for damages. A well-established data protection management system, clear internal guidelines and regular training for employees are crucial to minimize liability risks. The ruling shows that a preventive and comprehensive data protection strategy not only fulfills legal requirements, but also prevents economic damage, particularly when dealing with immaterial damage and liability in the event of breaches.
* This refers to persons of all gender identities. Other spellings are only omitted for reasons of readability.
