IP case law Court of Justice

Referral C-687/21 (Saturn Electro, 16 Nov 2021)

General data protection law > Chapter VIII - Remedies, liability and penalties > Right to compensation and liability
General data protection law > Chapter IV - Controller and processor > Responsibility of the controller
General data protection law > Chapter I - General Provisions > Material Scope - General
General data protection law > Chapter II - Principles > Integrity and confidentiality
General data protection law > Chapter IV - Controller and processor > Security of processing

1. As no automatic legal effects are specified, is the compensation rule enacted in Article 82 of the General Data Protection Regulation invalid in the case of non-material damage?

2. Is it necessary, for the purposes of the right to compensation, to establish the occurrence of non-material damage, to be demonstrated by the claimant, in addition to the unauthorised disclosure of the protected data to an unauthorised third party?

3. Does the accidental disclosure of the personal data of the data subject (name, address, occupation, income, employer) to a third party in a paper document (printout), as the result of a mistake by employees of the processing undertaking, suffice in order to establish infringement of the General Data Protection Regulation?

4. Where the undertaking accidentally discloses, through its employees, data entered in an automated data processing system to an unauthorised third party in the form of a printout, does that accidental disclosure to a third party qualify as unlawful further processing (Article 2(1), Article 5(1)(f), Article 6(1) and Article 24 of the General Data Protection Regulation)?

5. Is non-material damage within the meaning of Article 82 of the General Data Protection Regulation incurred even where the third party who received the document containing the personal data did not read the data before returning the document containing the information, or does the discomfort of the person whose personal data were unlawfully disclosed suffice for the purpose of establishing non-material damage within the meaning of Article 82 of the General Data Protection Regulation, given that every unauthorised disclosure of personal data entails the risk, which cannot be eliminated, that the data might nevertheless have been passed on to any number of people or even misused?

6. Where accidental disclosure to third parties is preventable through better supervision of the undertaking’s helpers and/or better data security arrangements, for example by handling collections separately from contract documentation (especially financing documentation) under separate collection notes or by sending the documentation internally to the collection counter without giving the customer the printed documents and collection note, how serious should the infringement be considered to be (Article 32(1)(b) and (2) and Article 4, point 7, of the General Data Protection Regulation)?

7. Is compensation for non-material damage to be regarded as the award of a penalty similar to a contract penalty?


Case details on the CJEU website (external link)

Disclaimer