Apart from potentially very high administrative penalties that national data protection authorities may impose on violators of the EU’s General Data Protection Regulation (as has already occurred, for example, in France), under the GDPR any person who has suffered material or non-material damage has the right to obtain compensation from the controller or processor of his personal data for the damage suffered. This is an instrument that has attracted much less attention than administrative sanctions, but it may have very serious financial consequences.
German court’s decision
In November 2018, the German district court in Diez issued the first ruling in Germany, and most likely also the first in the European Union, on compensation for material damage on the basis of Art. 82 GDPR. The case concerned sending an email by an entity asking for consent to receive a newsletter. The recipient did not give her prior consent to send emails. In legal proceedings, she claimed compensation of EUR 500. The district court dismissed the claim on the grounds that the person who sent the unfortunate email had already paid the injured party EUR 50, and in the court’s view that was sufficient compensation. Prior to the ruling, the German district court did not decide to refer a question to the Court of Justice of the European Union on how damages should be calculated under Art. 82 GDPR, despite a request to that effect.
Importance of the ruling for GDPR practice
The decision of the German district court may undoubtedly be helpful in the handling of similar cases by courts in other countries, in particular if they concern sending emails without the recipient’s consent. It also seems that the court has given a clear signal that a figure like the EUR 500 requested by the claimant would be excessive compensation for intangible damage in such a case. As Art. 82 GDPR does not provide clear guidelines on the criteria for calculating damages, the German ruling appears to be the first indication of what amounts can be considered in similar cases. However, it is not excluded that in a different factual situation, in which the negative consequences for the injured party are more serious than just receiving an unwanted email, the compensation could be significantly higher. The amount of compensation would certainly also be affected by e.g. the type of personal data affected by the breach (such as health data) or further consequences of the personal data breach for the injured party.
The situation is also problematic as in the Polish legal system, so far there has not been a mechanism that is a direct equivalent of Art. 82 GDPR, and compensation for similar infringements could be obtained on the basis of regulations governing the infringement of personal rights. Therefore, decisions made on this ground should, at least indirectly, be taken into account when awarding damages on the basis of Art. 82 GDPR.
It should also be noted that in case of bulk emails sent by the organisers of advertising campaigns, there may be thousands of injured parties. If each of them receives compensation of EUR 50, the costs of paying compensation may be very high. This makes it all the more important to formulate precisely agreements in which sellers of goods or services entrust the processing of personal data to entities conducting advertising campaigns based on mailings. If the contractor processes data outside of the data controller’s instructions, it will be deemed to be a data controller itself. This may affect the scope of its liability to data subjects.
In light of the above, it might have been more helpful if the German court decided to seek a preliminary ruling from the CJEU on the guidelines for calculation of damages. However, it seems that national courts will be more inclined to do so in the future, when more national rulings are available, which will provide the CJEU with material for in-depth analysis of the issue.