Until now, people affected by a data breach could not hope for high non-material damages in German courts based on the GDPR. This could now change: Recently, the Federal Labour Court asked the European Court of Justice (ECJ) to clarify the question of whether non-material damages in a “deterrent” amount are to be paid to the data subject on the basis of Article 82 (1) GDPR even if the controller is not at fault.
In this respect, the court is to be agreed with when it considers all circumstances of the individual case for the assessment of the non-material damages in order to achieve a complete and effective compensation. However, it is the task of the supervisory authorities to ensure by means of fines pursuant to Article 83 GDPR that infringements of the GDPR are penalized on a case-by-case basis in an effective, proportionate and dissuasive manner. The amount also depends on the violation as well as aggravating or mitigating circumstances in the respective case.
The Austrian Supreme Court takes a similar view when it assumes in its questions for a preliminary ruling to the ECJ, also recently submitted, that for the payment of non-material damages there must at least be an “infringement of some weight”.
Otherwise, a wave of lawsuits for non-material damages for even the smallest violations of the GDPR could be expected, which would burden both the judiciary and the individual companies significantly more than necessary. Together with a possible fine, this would lead to double “penalties”. It would therefore be preferable, at best, for the supervisory authorities to take their sanctioning task more seriously in the future and for Article 82 (1) GDPR to continue to serve its fundamental meaning – compensation for damage incurred. It remains to be seen whether this will be decided.
Due to the growing attention, it is more important than ever to ensure compliance concerning data protection by implementing a data protection management concept to avoid high payments. Hopefully, the ECJ will follow a mediating approach and appreciate the division of tasks between the supervisory authority and the courts as laid down in the GDPR.