The Court of Justice of the European Union’s position on damages in the event of personal data breaches is that it is possible for a company to be liable to data subjects. The same applies to organisations and public bodies. Please note that damages and administrative fines are not the same. It does not necessarily have to be financial damage that has occurred in order for data subjects to be entitled to damages. Damages may also be paid to data subjects if it relates to non-material damage as well.
Difference between damages and administrative fines
It may be useful to understand the difference between damages and administrative fines, as there are many who confuse the concepts. When a supervisory authority issues a fine to a company for breaching the GDPR, the affected data subjects receive no portion of the money. Administrative fines are instead paid by the company to the state. However, the data subject may claim damages, but in such cases it is not the supervisory authority that claims damages. Instead, the data subject must bring their own action against the company in question. In addition, the data subject can contact the company directly to try to agree on a fair compensation before bringing the case to court, in order to try to save time and resources.
The Court of Justice of the European Union’s position on damages in the event of personal data breaches to which data subjects may be entitled
The Court of Justice of the European Union gave a preliminary ruling following a request from the Supreme Administrative Court of Bulgaria. This was after the Bulgarian tax authority had been subjected to a cyberattack. The cyberattack resulted in millions of people’s personal data being published on the internet. Subsequently, affected individuals had claimed damages from the tax authority. They argued that the personal data breach could cause non-material damage, and therefore wanted compensation for it.
Findings of the Court of Justice of the European Union
The Court of Justice of the European Union (CJEU) held that it is possible for data subjects to claim damages for any immaterial damage that may arise in the future as a result of the personal data breach. However, it must be a well-founded fear.
An important factor that the court must take into account regarding the amount of damages and liability is the safeguards that the company has taken to protect the personal data. Companies must take appropriate organisational and technical security measures. The more important the personal data, the higher the requirements. It may be that a court rules that a company has done as much as possible to protect personal data, but that more skilled hackers accessed them anyway, and therefore do not impose a fine on the company.
European Court of Human Rights ruling on door knocking of religious communities
The Finnish Data Protection Board banned a religious community from taking notes when performing its preaching work by knocking on doors. The Data Protection Board considered that the religious community must comply with the GDPR in such processing, which the religious community did not consider. The case went all the way to the Supreme Administrative Court, which requested a preliminary ruling from the European Court of Human Rights. The European Court of Human Rights considered that the religious community needs to obtain consent when processing personal data in the event of door-to-door knocking.