A data subject had repeatedly left his objection to advertising with the controller and also revoked consent to receive the newsletter. Nevertheless, they were repeatedly contacted with advertising. Therefore, they sought damages under Art. 82 GDPR.
First, the ECJ reaffirms in its decision of April 11, 2024 its now-established case law that the data subject must prove that:
(1) a breach of the GDPR has occurred, (2) damage has been caused and (3) the GDPR breach was causal for the damage. The damage does not need to have reached a certain degree of severity. However, with explicit reference to EC 85, the ECJ emphasises that “loss of control” can constitute non-material damage.
The court then states that liability for damages depends on the fault of the controller and liability only ceases if there is evidence to the contrary. In this case, the controller sought to exonerate itself by claiming that the employee entrusted with the processing of their personal data had issued corresponding instructions. However, the ECJ did not accept this objection. The controller cannot exempt itself from liability by merely invoking the misconduct of a person under its authority. For a possible exemption of the controller – pursuant to Art. 82 para. 3 GDPR – from its liability, it cannot therefore be sufficient for the controller to prove that it issued instructions to the persons under its authority within the meaning of Art. 29 of this regulation and that one of these persons did not fulfil its obligation to follow these instructions and thus contributed to the occurrence of the damage in question (para. 52f). Apparently, the ECJ is of the opinion that the controller must also “ensure” compliance with his instructions (para. 49).
As a result, the ECJ further raises the requirements for an internal privacy organisation. In order to be able to provide evidence of exoneration at all, controllers are apparently not only required to set up an adequate privacy organization, including corresponding work instructions. They are also required to monitor this organization. Regular internal audits are therefore strongly recommended.