The case to be decided on 21 December 2023 in Case C-667/21 (curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-667/21) was based on the data processing of a medical service. It has the statutory task of, among other things, drawing up medical reports to dispel doubts about the incapacity for work of persons insured under the statutory health insurance scheme who fall within its area of responsibility, even if these reports concern its own employees. The plaintiff had doubts about the latter because colleagues could then possibly view his health data.
The European Court of Justice (ECJ) first establishes that Article 9(3) of the GDPR is to be interpreted in such a way that the controller responsible for the processing of health data based on Article 9(2)(h) of this regulation is not obligated, according to these provisions, to ensure that no colleague of the data subject has access to the data regarding their health condition. However, such an obligation may be imposed on the controller responsible for such processing by a regulation adopted by a Member State on the basis of Article 9(4) of this regulation or due to the principles of integrity and confidentiality specified in Article 5(1)(f) of this regulation, and concretely detailed in its Article 32(1)(a) and (b), margin number 70.
Also, the Court emphasizes that Article 9(2)(h) and Article 6(1) of the GDPR are to be interpreted in such a way that processing of health data based on the former provision is only lawful if it not only complies with the requirements arising from that provision but also fulfills at least one of the legitimacy conditions mentioned in Article 6(1), margin number 79.
Furthermore, the Court of Justice has ruled that, as the GDPR does not contain any provision dedicated to the rules for assessing compensation arising from the right to compensation under Article 82 of this regulation, national courts, for this purpose and in accordance with the principle of procedural autonomy, must apply the local regulations of individual Member States regarding the scope of financial compensation, provided that the principles of equivalence and effectiveness under EU law are observed, as defined by the consistent case law of the Court of Justice (see in this regard Judgment of May 4, 2023, Österreichische Post [Non-material damage in connection with the processing of personal data], C 300/21, EU:C:2023:370, margin number 53, 54, and 59), margin number 83.
As a result, the answer to the fourth question is that Article 82(1) of the GDPR is to be interpreted to mean that the compensation claim provided for in this provision serves a compensatory function. Compensation under this provision, which is based on a violation of this regulation, is intended to enable the complete compensation in monetary terms of the damage actually suffered as a result of the breach, and it does not serve a deterrent or punitive function, margin number 87.
The Court reiterates once again that Article 82(1) of the GDPR conditions the right to compensation on the fulfillment of three requirements, namely the existence of a violation of this regulation, the occurrence of damage, and a causal connection between the violation and the damage, margin number 90.
In this regard, it is to be understood that Article 82 of the GDPR establishes a liability regime based on fault, where the burden of proof does not rest on the person who has suffered damage but on the controller, margin number 94.
Regarding the evidence to be presented for exoneration, the court explains that it arises from the wording of Article 24 and Article 32 of the GDPR that these provisions merely prescribe to the controller to implement technical and organizational measures aimed at preventing any breach of the protection of personal data as much as possible. The adequacy of such measures is to be assessed concretely by examining whether the controller has adopted these measures taking into account the various criteria listed in the mentioned articles and the data protection needs specifically associated with the processing and the risks arising from it (see in this regard Judgment of December 14, 2023, Natsionalna agentsia za prihodite, C 340/21, EU:C:2023:986, margin number 30), margin number 96.
As the Advocate General essentially pointed out in Nr. 93 of his Opinion, choosing an interpretation where the data subjects, who have suffered damage due to a violation of the GDPR, would bear the burden of proof not only for the existence of such violation and the resulting damage but also for establishing the intent or negligence of the controller, or even the degree of fault, within the framework of a compensation claim based on Article 82 of this regulation, would be inconsistent with the objective of providing high protection. This is because Article 82 GDPR does not impose such requirements (see similarly Judgment of December 14, Natsionalna agentsia za prihodite, C 340/21, EU:C:2023:986, margin number 56), margin number 99.
As for the question regarding the assessment of the amount of compensation potentially due under Article 82 of the GDPR, it should be noted that, for the evaluation of such compensation, national courts must apply the local regulations of individual Member States regarding the scope of financial compensation, provided that the principles of equivalence and effectiveness under EU law are observed, as defined by the consistent case law of the Court of Justice, margin number 101.
It is to be clarified that, considering its compensatory function, Article 82 of the GDPR does not require the severity of the violation of this regulation, allegedly committed by the controller, to be taken into account in determining the amount of compensation granted for non-material damage under this provision. Rather, Article 82 of the GDPR requires that this amount be set to fully compensate the damage actually suffered as a result of the breach of this regulation, as indicated in paragraphs 84 to 87 of this judgment, margin number 102.
Conclusions
Claims for damages are only dependent on three conditions: a breach of the GDPR, damage and fault on the part of the controller. The ECJ considers the burden of proof to be on the plaintiff (only) regarding the first two conditions. With regard to culpability, the controller must provide evidence of exoneration, whereby the technical and organizational measures taken are of great importance. It is questionable whether exculpatory evidence can be provided at all if a GDPR infringement could have been “not unclear” (according to the ECJ in cases C-807/21 and C-683/21) to the management bodies of a controller. Due to the weakened liability requirements, the demands on the company data protection organization are likely to be higher in any case.
It is also noteworthy that the examination of the permissibility of data processing must now apparently be carried out as part of a kind of two-stage examination; in addition to any (national) special provisions to be applied (such as Article 9 GDPR), data processing must always be based on the general requirements under Article 5 and 6.
If external profiling is decisive for the actual decision, Article 22 GDPR already applies to this. The Hamburg data protection commissioner has already pointed out that this advance shift of the decision has an impact on AI solutions datenschutz-hamburg.de/news/auswirkungen-des-schufa-urteil-auf-ki-anwendungen.