25 January 2024 (*1)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Interpretation of Articles 5, 24, 32 and 82 – Assessment of the validity of Article 82 – Inadmissibility of the request for an assessment of validity – Right to compensation for damage caused by data processing which infringes that regulation – Transmission of data to an unauthorised third party on account of an error made by the employees of the controller – Assessment of the appropriateness of the protective measures implemented by the controller – Compensatory function fulfilled by the right to compensation – Effect of the severity of the infringement – Whether necessary to establish the existence of damage caused by that infringement – Concept of ‘non-material damage’)

In Case C‑687/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Amtsgericht Hagen (Local Court, Hagen, Germany), made by decision of 11 October 2021, received at the Court on 16 November 2021, in the proceedings

MediaMarktSaturn Hagen-Iserlohn GmbH, formerly known as Saturn Electro-Handelsgesellschaft mbH Hagen,

THE COURT (Third Chamber),

composed of K. Jürimäe, President of the Chamber, N. Piçarra, M. Safjan, N. Jääskinen (Rapporteur) and M. Gavalec, Judges,

Advocate General: M. Campos Sánchez‑Bordona,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–BL, by D. Pudelko, Rechtsanwalt,

–MediaMarktSaturn Hagen‑Iserlohn GmbH, formerly known as Saturn Electro‑Handelsgesellschaft mbH Hagen, by B. Hackl, Rechtsanwalt,

–Ireland, by M. Browne, Chief State Solicitor, A. Joyce and M. Lane, acting as Agents, and by D. Fennelly, Barrister‑at‑Law,

–the European Parliament, by O. Hrstková Šolcová and J.‑C. Puffer, acting as Agents,

–the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,

having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,

gives the following

Legal context

‘(11) Effective protection of personal data throughout the [European] Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, …’

…

(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

…

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

…

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

…

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …

…

(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. …’

“personal data” means any information relating to an identified or identifiable natural person (“data subject”); …

…

(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …

…

(10) “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

…

(12) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

…’

…

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

…

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

…

…’

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

…

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

…

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

…’

Article 84 of that regulation, entitled ‘Penalties’, provides in paragraph 1 thereof:

‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’

The dispute in the main proceedings and the questions referred for a preliminary ruling

In those circumstances, the Amtsgericht Hagen (Local Court, Hagen) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

(1)As no automatic legal effects are specified, is the compensation rule enacted in Article 82 of the [GDPR] invalid in the case of non-material damage?

(2)Is it necessary, for the purposes of the right to compensation, to establish the occurrence of non-material damage, to be demonstrated by the claimant, in addition to the unauthorised disclosure of the protected data to an unauthorised third party?

(3)Does the accidental disclosure of the personal data of the data subject (name, address, occupation, income, employer) to a third party in a paper document (printout), as the result of a mistake by employees of the [concerned] undertaking, suffice in order to establish infringement of the [GDPR]?

(4)Where the undertaking accidentally discloses, through its employees, data entered in an automated data processing system to an unauthorised third party in the form of a printout, does that accidental disclosure to a third party qualify as unlawful further processing (Article 2(1), Article 5(1)(f), Article 6(1) and Article 24 of the [GDPR])?

(5)Is non-material damage within the meaning of Article 82 of the [GDPR] incurred even where the third party who received the document containing the personal data did not read the data before returning the document containing the information, or does the discomfort of the person whose personal data were unlawfully disclosed suffice for the purpose of establishing non-material damage within the meaning of Article 82 of the [GDPR], given that every unauthorised disclosure of personal data entails the risk, which cannot be eliminated, that the data might nevertheless have been passed on to any number of people or even misused?

(6)Where accidental disclosure to third parties is preventable through better supervision of the undertaking’s helpers and/or better data security arrangements, for example by handling collections separately from contract documentation (especially financing documentation) under separate collection notes or by sending the documentation internally to the collection counter without giving the customer the printed documents and collection note, how serious should the infringement be considered to be (Article 32(1)(b) and (2) and Article 4, point 7, of the [GDPR])?

(7)Is compensation for non-material damage to be regarded as the award of a penalty similar to a contract penalty?

Consideration of the questions referred

The first question

The third and fourth questions

paragraphs 26 and 27).

38. It is apparent, accordingly, from the wording of Articles 24 and 32 of the GDPR that the appropriateness of the measures implemented by the controller must be assessed in a concrete manner, taking into account the various criteria referred to in those articles and the data protection needs specifically inherent in the processing concerned and the risks arising from the latter, and that all the more since that controller must be able to demonstrate that the measures it implemented comply with that regulation, a possibility which it would be deprived of if an irrebuttable presumption were accepted (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 30 to 32).

39. That literal interpretation is supported by reading Articles 24 and 32 together with Article 5(2) and Article 82 of that regulation, read in the light of recitals 74, 76 and 83 thereof, from which it follows, in particular, that the controller is obliged to mitigate the risks of personal data breaches and not prevent all breaches of those data (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 33 to 38).

40. Therefore, the Court interpreted Articles 24 and 32 of the GDPR as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4, point 10, of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32 (judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 39).

41. In the present case, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is capable of indicating that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of those Articles 24 and 32. In particular, such a circumstance may result from negligence or a failure in the controller’s organisation, which does not take into account in a concrete manner the risks in relation to the processing of the data at issue.

42. In that regard, it must be pointed out that it follows from a reading of Articles 5, 24 and 32 of the GDPR together, read in the light of recital 74 thereof, that, in an action for compensation under Article 82 of that regulation, the controller concerned bears the burden of proving that the personal data are processed in such a way as to ensure appropriate security of those data, within the meaning of Article 5(1)(f) and of Article 32 of that regulation. Such an allocation of the burden of proof is capable not only of encouraging the controllers of those data of adopting the security measures required by the GDPR, but also in retaining the effectiveness of the right to compensation provided for in Article 82 of that regulation and upholding the intentions of the EU legislature referred to in recital 11 thereof (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 49 to 56).

43. Therefore, the Court interpreted the principle of accountability of the controller, set out in Article 5(2) of the GDPR and given expression in Article 24 thereof, as meaning that, in an action for compensation under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation (judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 57).

44. Accordingly, a court hearing such an action for compensation under Article 82 of the GDPR cannot take into account only the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data, in order to determine whether there is an infringement of an obligation laid down in that regulation. That court must also take into account all of the evidence that the controller provided to demonstrate that the technical and organisational measures adopted by him or her are appropriate with a view to complying with his or her obligations under Articles 24 and 32 of that regulation.

45. In light of the foregoing reasons, the answer to the third and fourth questions is that Articles 5, 24, 32 and 82 of the GDPR, read together, must be interpreted as meaning that, in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.

The seventh question

46. By its seventh question, the referring court asks, in essence, whether Article 82 of the GDPR must be interpreted as meaning that the right to compensation provided for in that provision, in particular in the case of non-material damage, fulfils a punitive function.

47. In that regard, the Court held that Article 82 of the GDPR fulfils a function that is compensatory and not punitive, contrary to other provisions of that regulation also contained in Chapter VIII thereof, namely Articles 83 and 84, which have, for their part, essentially a punitive purpose, since they permit the imposition of administrative fines and other penalties, respectively. The relationship between the rules set out in Article 82 and those set out in Articles 83 and 84 shows that there is a difference between those two categories of provisions, but also complementarity, in terms of encouraging compliance with the GDPR, it being observed that the right of any person to seek compensation for damage reinforces the operational nature of the protection rules laid down by that regulation and is likely to discourage the reoccurrence of unlawful conduct (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 38 and 40, and of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraph 85).

48. The Court stated that, since the right to damages provided for in Article 82(1) of the GDPR does not fulfil a deterrent function, or even punitive, but fulfils a compensatory function, the severity of the infringement of that regulation that caused the damage concerned cannot influence the amount of the compensation granted under that provision, even where it concerns non-material damage and not material damage, in that that amount cannot exceed the full compensation for that damage (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraphs 86 and 87).

49. It follows from the foregoing that it is not necessary to rule on the alignment, contemplated by the referring court, between the purpose referred to by the right to compensation laid down in Article 82(1) and the punitive function of a contractual penalty.

50. Therefore, the answer to the seventh question is that Article 82(1) of the GDPR must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function.

The sixth question

51. By its sixth question, the referring court asks, in essence, whether Article 82 of the GDPR must be interpreted as meaning that that article requires that the degree of severity of the infringement of that regulation made by the controller is taken into consideration for the purposes of compensation under that provision.

52. In that regard, it follows from Article 82 of the GDPR that, first, establishing the liability of the controller is, in particular, subject to fault on the part of the controller, which is presupposed unless it proves that it is not in any way responsible for the event giving rise to the damage, and secondly, Article 82 does not require that the severity of that fault is taken into consideration when setting the amount of the compensation allocated for non-material damage under that provision (judgment of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraph 103).

53. As regards the assessment of the compensation payable under Article 82 of the GDPR, since that regulation does not contain a measure having such an aim, the national courts must, for the purpose of that assessment, apply the internal rules of each Member State relating to the extent of the pecuniary compensation, to the extent that the principles of equivalence and effectiveness of EU law can be observed (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraphs 83 and 101 and the case-law cited).

54. In addition, the Court stated that, having regard to the compensatory function of the right to compensation laid down in Article 82 of the GDPR, that provision does not require taking into consideration the severity of the infringement of that regulation, that the controller is presumed to have made, while setting the amount of the compensation allocated for non-material damage under that provision, but requires that that amount is set in a way that the damage actually suffered as a result of the infringement of that regulation is compensated in full (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022).

paragraphs 84 to 87 and 102 and the case-law cited).

55. In light of the foregoing reasons, the answer to the sixth question that Article 82 of the GDPR must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision.

The second question

56. By its second question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that the person seeking compensation under that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement led to his or her non-material or material damage.

57. In that regard, it should be recalled that Article 82(1) of the GDPR provides that ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’.

58. It is apparent from the wording of that provision that the mere infringement of the GDPR is not sufficient to confer a right to compensation. The existence of ‘damage’ or ‘harm’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Article 82(1), as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 32 and 42; of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 77; of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 14; and of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraph 82).

59. As regards, in particular, the non-material damage, the Court also held that Article 82(1) of the GDPR precludes a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject, as defined in Article 4, point 1, of that regulation, has reached a certain degree of seriousness (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 51; of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 78; and of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 16).

60. The Court stated that a person concerned by an infringement of the GDPR which had negative consequences for him or her is, however, required to demonstrate that those consequences constitute non-material damage, within the meaning of Article 82 of that regulation, since the mere infringement of the provisions thereof are not sufficient to confer a right to compensation (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 42 and 50; of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 84; and of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraphs 21 and 23).

61. In light of the foregoing reasons, the answer to the second question is that Article 82(1) of the GDPR must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage.

The fifth question

62. By its fifth question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that, if a document containing personal data was provided to an unauthorised person, and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, is likely to consist of the mere fact that the person concerned fears that, following that communication which made it possible to make a copy of that document before returning it, a dissemination, even abuse, of those data may occur in the future.

63. It is important to specify that the referring court states that, in the present case, the document containing the data concerned was returned to the applicant in the main proceedings within half an hour following it having been provided to an unauthorised third party and that that unauthorised third party did not become aware of those data before the document’s return. That applicant submits, however, that that document’s provision gave that third party the possibility to take copies of the document before returning it and that it therefore created a fear for the applicant linked to the risk occurring in the future of those data being abused.

64. Having regard to the absence of any reference in Article 82(1) of the GDPR to the domestic law of the Member States, the concept of ‘non-material damage’, within the meaning of that provision, must be given an autonomous and uniform definition specific to EU law (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 30 and 44, and of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 15).

65. The Court held that it is apparent not only from the wording of Article 82(1) of the GDPR, read in the light of recitals 85 and 146 of that regulation, which encourage the acceptance of a broad interpretation of the concept of ‘non-material damage’ within the meaning of that first provision, but also the objective of ensuring a high level of protection of natural persons with regard to the processing of their personal data, which is referred to by the regulation, that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of Article 82(1) (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 79 to 86).

66. Furthermore, on the basis of considerations of a literal, systemic and teleological nature, the Court held that the loss of control of the personal data for a short period of time may cause the data subject ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, subject to that person demonstrating having actually suffered such damage, however minimal, bearing in mind that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation on that basis (see, to that effect, judgment of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraphs 18 to 23).

69. Therefore, the answer to the fifth question is that Article 82(1) of the GDPR must be interpreted as meaning that, if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

Costs

70. Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Third Chamber) hereby rules:

1.Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together

must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.

2.Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function.

3.Article 82 of Regulation 2016/679

must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision.

4.Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage.

5.Article 82(1) of Regulation 2016/679

must be interpreted as meaning that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

[Signatures]

(1) Language of the case: German.