Compensation responsibility for data disclosure - after the CJEU judgment C-741/21
Polish law does not need to be amended following the Court of Justice of the European Union (CJEU) judgment on the rules for claiming compensation for damages after disclosure of personal data. However, the judgment will have an impact on the way in which the provisions concerning the determination of liability rules and the right to compensation for infringements of the GDPR provisions will be interpreted.
This was the statement of the President of the Personal Data Protection Office, Mirosław Wróblewski, in a letter to the Minister for European Union Affairs, Adam Szłapka, on 18 May. The Minister requested this position after the Court of Justice of the European Union delivered its judgment in Case C-741/21 GP/juris GmbH on 11 April 2024.
In the judgment, the CJEU emphasised that when claiming compensation for non-pecuniary damage under Article 82(1) of the GDPR, it is not sufficient to simply infringe a provision of the Regulation. There must also be damage suffered by the data subject. Importantly in this context, the severity of the harm suffered is irrelevant.
This interpretation is in line with previous CJEU judgments, including the judgment of 21 December 2023 in Case C-667/21 Krankenversicherung Nordrhein and the judgment of 25 January 2024 in Case C-687/21 MediaMarktSaturn. The Court held that non-pecuniary damage may consist, in particular, of loss of control over one's own data, e.g. data processed by the controller despite an objection raised on the basis of Article 21 of Regulation 2016/679. According to the Court, Article 82(2) and (3) of Regulation 2016/679 provides for a fault-based liability regime under which the controller is presumed to have participated in the data processing constituting the infringe, so that the burden of proof is not on the person who has suffered damage, but on the controller.
The President of the Personal Data Protection Office believes that such a position of the CJEU does not affect the provisions of the Polish law. It is a well-established view in the judicature that the rules for determining liability for damage, both pecuniary and non-pecuniary, caused by a infringe of the provisions of the GDPR (Regulation 2016/679) are determined by the provisions of the Civil Code, and cases in this scope constitute civil cases within the meaning of Article 1 of the Civil Procedure Code and are decided by the courts. In particular, according to the provision of Article 415 of the Civil Code, whoever caused damage to another through his/her fault is obliged to compensate for the damage. The condition for an effective claim for damages is to demonstrate that damage has been suffered, although the legislation does not establish a requirement, a specific amount of damage suffered.
In the jurisprudence of the Polish courts, there is no doubt that the amount of damages is determined solely on the basis of the provisions of civil law, in accordance with the principle of full compensation, and the provisions of Regulation 2016/679 on fines are not applied accordingly in this respect.
In the light of the above, in the opinion of the supervisory authority, the above ruling of the Court will not require amendments to the provisions of the Polish law, which is in compliance with it, nevertheless, it will be significant for the manner of interpreting the provisions in the scope of determining the liability for damages for infringe of the provisions on personal data protection.
The opinion of the President of the DPA on the CJEU judgment C-741/21 is available in the file attached below.
