Compensation for Damages for Unlawful Processing of Personal Data

The judgment of the Court of Cassation, Cass. civ., Sec. I, Ord. 12-05-2023, No. 13073, addresses a case in which a municipality was ordered to compensate damages caused to an employee as a result of unlawful processing of her personal data. This judgment raises important questions regarding compensation for damages resulting from breaches of data protection regulations, in particular Regulation (EU) 2016/679, known as GDPR.

The Case

In the case at hand, the municipality had accidentally published on its institutional website a determination regarding the garnishment for a certain amount of a municipal employee’s salary, thus violating the data protection rules of the GDPR. Upon discovering the error, the municipality had admitted that the disclosure of the data had occurred accidentally, and promptly took steps to remove the data in little more than 24 hours.

Nevertheless, the Court of First Instance had found that the municipality was liable and ordered it to pay damages. The Court of Appeal upheld that judgment, which, in turn, was appealed by the municipality before the Supreme Court.

The Supreme Court’s ruling, rejecting the Municipality’s petition, emphasised that the non-pecuniary damage that can be compensated in cases of personal data breaches is determined by the infringement of the fundamental right to the protection of personal data, enshrined both in the Constitution and in the GDPR. Recalling that the GDPR, in Article 82, states that anyone who suffers material or immaterial damage caused by a breach of the provisions of the regulation has the right to obtain compensation for the damage from the data controller or processor.

The Legal Change

Prior to the entry into force of Regulation (EU) 2016/679, in our legal system, the issue of civil liability arising from the unlawful processing of personal data found its regulation in Article 15 of Legislative Decree No. 196 of 30 June 2003 (Personal Data Protection Code). This stipulated that anyone who caused damage to others due to the processing of personal data had to pay compensation pursuant to Article 2050 of the Civil Code. Non-pecuniary damage was also compensable in the event of a breach of Article 11.

With the entry into force of the GDPR, the legislation has changed, introducing more uniform rules for liability in case of unlawful processing of personal data. The new legislation stipulates that anyone who suffers material or immaterial damage caused by a breach of the regulation has the right to obtain compensation from the data controller or processor. However, these entities may be exempted from liability if they prove that the damaging event is not attributable to them “in any way.”

The Responsibility of the Controller vs. the Responsible Party

The liability of the owner and the liability of the liable party arise from different facts. The data controller is the one who determines the purposes and means of the processing and is liable for the damage caused by his processing that violates the regulation. Moreover, according to the ermellini’s maxim, ‘the data controller is always obliged to compensate for the damage caused to a person by a processing that does not comply with the regulation itself, and may be exonerated from liability not simply if he has taken action (as is his duty) to remove the unlawfully exposed data, but only ‘if he proves that the damaging event is in no way attributable to him’.

The data controller, on the other hand, processes personal data on behalf of the data controller and is liable only if he has not fulfilled the obligations of the regulation specifically addressed to data controllers or has acted contrary to the instructions of the data controller.

The Seriousness of the Damage

As regards compensation for non-pecuniary damage resulting from an infringement of the fundamental right to the protection of personal data, the conditions of the seriousness of the injury and the seriousness of the damage must be met. The violation of data protection requirements may be considered unjustifiable, and therefore compensable, only if it has appreciably offended the scope of the right itself. Therefore, the mere violation of the formal prescriptions on the processing of data may not give rise to damage, whereas a violation that concretely offends the actual scope of the right to privacy always leads to compensation.

The burden of proof for proving non-pecuniary damage is on the injured party, while the data controller must prove that it has taken adequate measures to avoid the damage.

The Principle of Accountability

The entry into force of the GDPR introduced the principle of accountability, which requires the data controller to take responsibility for striking a balance between opposing interests, with full autonomy of judgement. Accountability requires the controller to modulate the concrete implementation of the principles enshrined in the legislation, in the abstract, and to document how it has implemented the regulatory provisions.

In conclusion, Regulation (EU) 2016/679 has redefined the legal framework for the processing of personal data, introducing more uniform rules on responsibility and accountability. These regulations place significant emphasis on the protection of personal data and compensation for damages in case of breaches. The Supreme Court’s ruling reinforces the importance of these rules and the need for organisations to comply with them in order to avoid litigation and damages. The protection of personal data is a crucial issue in today’s digital society and requires attention and compliance from all actors involved.