Art 82 (1) GDPR - GP v Juris GmbH

Landgericht Saarbrücken

Author Anna16 Licence CC BY-SA 3.0  Source Wikimedia Commons

 

Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, N. Piçarra and N. Jääskinen (Rapporteur), Judges), Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288

This was a request by the Landgericht Saarbrücken for a preliminary ruling on the interpretation of art 82 (1) and (3) of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, pp. 1–88) read in conjunction with arts 29 and 83 and the 85th and 146th recitals. The request was made in the course of proceedings that the claimant, GP, had brought against juris GmbH, the defendant, for compensation for damage arising from the defendant's unauthorised processing of his personal data.

The Dispute

The defendant published online legal information as well as newsletters.  One of its subscribers was the claimant, a lawyer in independent private practice.  He discovered that juris GmbH had used his personal data for direct marketing.  He withdrew his consent to the processing of his personal data and closed his email and telephone updating accounts, but continued to receive newsletters from the defendant company.   Even though he had withdrawn his consent, he continued to receive mailshots from juris, including some with a code that enabled him to access an online form containing his personal data, which had been created long after he had withdrawn his consent to the processing of his personal data.

The Action

GP launched an action against juris GmbH in the Landgericht Saarbrücken (the intermediate court of first instance for Saarbrücken) for compensation for material and non-material damage under art 82 (1) of the GDPR. His material damage consisted of the costs of instructing a bailiff and notary.  He alleged that his loss of control over his personal data resulting from the unauthorised processing constituted non-material damage.  Juris denied liability.  It stated that it had established a system for managing objections to direct marketing.  Its explanation for the stray mailshots was isolated slip-ups by its employees, and that the cost of preventing such slip-ups altogether was prohibitive. Mere breaches of obligation under the GDPR, such as non-compliance with objections under art 21 (3), cannot, by themselves, constitute ‘damage’ within the meaning of art 82 (1).

The Reference

The Landgericht Saarbrücken decided to stay the proceedings and refer the following questions to the Court of Justice of the European Union ("CJEU") for a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union:

"(1) In the light of recital 85 and the third sentence of recital 146 of the GDPR, is the concept of ‘non-material damage’ in Article 82 (1) of the GDPR to be understood as covering any impairment of the protected legal position, irrespective of the other effects and materiality of that impairment?
(2) Is liability for compensation under Article 82 (3) of the GDPR excluded by the fact that the infringement is attributed to human error in the individual case on the part of a person acting under the authority of the processor or controller within the meaning of Article 29 of the GDPR?
(3) Is it permissible or necessary [to base] the assessment of compensation for non-material damage [on the] criteria for determining fines set out in Article 83 of the GDPR, in particular in Article 83 (2) and 83(5) of the GDPR?
(4) Must the compensation be determined for each individual infringement, or are several infringements - or at least several infringements of the same nature - penalised by means of an overall amount of compensation, which is not determined by adding up individual amounts but is based on an evaluative overall assessment?"

Judgment

The CJEU delivered its reply in Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288 on 11 April 2024.

Legislation

The Court considered the 85th, 146th and 148th recitals of the GDPR and arts 4 (1), (7) and (12), 5, 21, 24 (1) and (2), art 25 (1), 29, 32 (1) (b), (2) and (4), 79, 82 (1), (2) and (3), 82 (2) (a), (b) and (k), (3) and (5) and 84 (1) of its provisions.

The First Question

Juris GmbH challenged the admissibility of the first question on the ground that the damage alleged by GP in the main proceedings, a loss of control over his personal data, did not occur.  It alleged that GP's data had been lawfully processed under his contract with the defendant company.  The CJEU rejected the challenge.  It was for the national court to determine the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment in the proceedings before it and the relevance of the questions that it submits to the Court.  There was no reason in this case to doubt the question's relevance.

The Court reframed the Landgericht's first question as "whether Article 82 (1) of the GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is sufficient, in itself, to constitute ‘non-material damage’, within the meaning of that provision, irrespective of the degree of seriousness of the harm suffered by that person."  

Referring to para [58] of its judgment in  Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53 and the cases cited therein, the Court noted that it had already interpreted art 82 (1) as meaning that the mere infringement of that regulation is not sufficient to confer a right to compensation.  The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in art 82 (1).   So, too, does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.   Applying paras [60] and [61] of that judgment and the cases cited, a person seeking compensation for non-material damage under art 82 (1)  must establish not only the infringement of provisions of that regulation, but also that such infringement caused him or her such damage.

The Court added that it had interpreted art 82 (1) as precluding a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness, while emphasising that that person is nevertheless required to demonstrate that the infringement of that regulation caused him or her such non-material damage (paras [59] and [60] of MediaMarktSaturn and the cases referred to in those paragraphs).

The answer to the first question was that art 82 (1) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

The Second Question

The Landgericht asked whether art 82 (3) must be interpreted as meaning a controller can be exempted from liability under art 83 (1) by claiming that the damage in question was caused by the failure of a person acting under his authority within the meaning of art 29.   

The Court observed that it had already held in Case C‑667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts ECLI:EU:C:2023:1022, EU: C:2023:1022, [2023] EUECJ C-667/21  from a combined analysis of art 82 (2) and (3) that that article provides for a fault-based regime, in which the controller is presumed to have participated in the processing constituting the breach of the GDPR in question, so that the burden of proof lies not with the person who has suffered damage but with the controller.

As an employee of the controller is a natural person acting under the authority of that controller, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the controller cannot avoid liability under art 82 (3) simply by relying on negligence or failure on the part of a person acting under his or her authority.   If it were accepted that a controller could be exempted from liability merely by relying on the failure of a person acting under his or her authority, that would undermine the effectiveness of the right to compensation under art 82 (1).

The answer to the second question was that art 82 must be interpreted as meaning that it is not sufficient for the controller to claim that the damage in question was caused by the failure of a person acting under his or her authority within the meaning of art 29 to be exempted from liability under art 82 (3).

The Third and Fourth Questions

The CJEU took the referring court's third and fourth questions together.  That court had asked whether art 82 must be interpreted as meaning that it is necessary to:

• apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83 GDPR, and/or 
• take account of the fact that several infringements of the GDPE concerning the same processing operation affect the person seeking compensation

 In determining the amount of damages due as compensation for damage under that article.

The CJEU began by pointing out that arts 82 and 83 serve different functions. Art 82 governs the right to compensation and liability while art 83 determines the ‘general conditions for imposing administrative fines.    It follows that the criteria set out in art 83 for determining the amount of administrative fines cannot be used to assess the amount of compensation under art 82.

The GDPR does not contain any provision relating to the assessment of the damages due under art 82.  For the purposes of that assessment, the national courts must apply the domestic rules of each Member State relating to the extent of monetary compensation, provided that the principles of equivalence and effectiveness of EU law are complied with (see paras [83] and [101] of Krankenversicherung Nordrhein and the cases referred to and para [53] of MediaMarktSaturn).   The Court has emphasized that art 82 has a compensatory function and not punitive. The right to compensation does not fulfil a deterrent, or even punitive, function. It follows that the amount cannot exceed the full compensation for that damage (para [86] of Krankenversicherung Nordrhein).

As to the way in which national courts must assess the amount of monetary compensation under art 82 of in the case of multiple infringements affecting the same data subject, it should, first of all, be pointed out that it is for each Member State to establish the criteria for determining the amount of that compensation, subject to compliance with the principles of effectiveness and equivalence of EU law.  Next, in view of the compensatory rather than punitive function of art 82, the fact that several infringements have been committed by the controller in relation to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation to be awarded to that data subject under art 82. Only the damage actually suffered by the data subject must be taken into consideration to determine the amount of money due by way of compensation.

The answer to the third and fourth questions is that art 82 (1) of the GDPR must be interpreted as meaning that it is not necessary to:

• apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83; and/or 
• take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation

to determine the amount of money due as compensation for damage based on that article.

Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.
2. Article 82 of Regulation 2016/679 must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation."

Comment

This is another important authority on the assessment of compensation for the infringement of the GDPR under art 82 (1).  In this decision, the CJEU made clear that the rules for assessing fines under art 83  are not to be taken into account for determining compensation under art 82 (1).  The regulation sets no criteria for such assessment other than that the function art 82 (1) is not punitive but compensatory.  It is a matter for the national courts subject to the principles of equivalence and effectiveness of EU law.

Another takeaway from the decision is that a controller cannot escape liability under art 82 (3) GDPR by showing that its employee had slipped up.   It is surprising that juris GmbH believed that the point was worth arguing.   As the Court observed, it would have undermined the right to compensation under art 82 (1) had juris GmbH succeeded.

Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during normal UK office hours or send me a message through my contact form.

Entitlement to Compensation - East Dunbartonshire Council v Paton

Southbank Marina

Author G, Laird Licence CC BY-SA 2.0 Source Wikimedia Commons

 

Jane Lambert

Sheriff Appeal Court Civil (Appeal Sheriff O'Carroll) East Dunbartonshire Council v Paton [2026] SAC (Civ) 17 (4 March 2026)

This was an appeal by East Dumbartonshire Council against an award of compensation under art 82 (1) UK GDPR to the father of a child for damage incurred as a result of the council's delay in rectifying a risk assessment form.  The local authority did not dispute that it had caused damage by the delay for which it had to pay compensation.  Nor did it dispute the amount of compensation.  The only issue in the appeal was whether the compensation had been paid to the right person.

Background

The child had been a pupil at a school maintained by the appellant council where she suffered bullying. Her father complained to the head teacher, who prepared a draft form assessing the risk to the child's physical safety as "medium" and the risk to her emotional well-being as "high".  The school sent the draft to the child's father for his consideration.

The school introduced control measures which led it to reduce its assessment of the risk to the child's physical safety as "low" and her emotional well-being as "medium".  The girl's father accepted that the measures had reduced the risks to his daughter but expressed concern that the risk to her well-being remained "medium".  He sought further advice from the school on reducing the risk to his child's well-being which the school provided the same day.

Despite the control measures, further difficulties arose which prompted the father to complain to the school.   The school rejected most of his complaints, whereupon the father resorted to the Scottish Public Services Ombudsman.  The ombudsman requested a risk assessment from the council.   Instead of sending the draft that had been shown to the child's father, the authority prepared a modified form showing the risk to her emotional well-being as "low".

Claim for Rectification

After seeing the modified form, the father asked the local authority to amend the risk assessment to his daughter's well-being.  The council admitted that its risk assessment had been wrong but refused to modify it.   The father issued proceedings in the Sheriff's Court claiming rectification of the assessment form under art 16 GDPR and compensation for damage resulting from the council's delay in rectifying the form under art 82 (1).  The council admitted that the modified assessment form was incorrect and that it should be rectified, but contended that the data belonged to the child rather than her father and that, for that reason, the claim should fail. 

The Sheriff's Decision

The Sheriff found in favour of the father and awarded him compensation under art 82 (1).  He held that the information on the form was the father's personal data.  He found that it was incorrect and should be rectified. He also found that the father had sustained damage as a result of the council's delay in rectifying the record.   In reaching his decision, the Sheriff relied on the judgments of the Court of Justice of the European Union in Case C-434/16 Nowak v Data Protection Commissioner  [2017] EUECJ C-434/16, [2018] WLR 3505, [2018] 1 WLR 3505, EU: C:2017:994, [2018] 2 CMLR 21, ECLI:EU:C:2017:994, [2018] WLR(D) 8 and Mrs Justice Heather Williams in Ashley v Commissioners for His Majesty's Revenue and Customs [2025] EWHC 134 (KB).

The Appeal

The Council appealed to the Sheriff Appeal Court on the ground that the data relating to the child's risk assessment belonged to her and not her father and that he had not been entitled to seek rectification or compensation.  The appeal came on before Appeal Sheriff O'Carroll who delivered judgment in East Dumbartonshire Council v Paton [2026] SAC (Civ) 17 on 4 March 2026.  In para [23] of his judgment, the learned Appeal Sheriff dismissed the appeal.

Approach

In para [16], Appeal Sheriff O'Carroll and adopted considered the approach of the court below:

"What the case law and the two cases cited demonstrate in my view is that the correct approach to determining whether a right to access and associated rights exist, once the controller or processor of the data is identified, is firstly to identify the data to which access and rectification is sought. Then decide whether that data is personal data or not considering the statutory definition and wide interpretation of personal data adopted by the courts. Then, the task is to identify who is the subject of the data, that is to say the identified or identifiable person to whom the data relates. Then determine whether the data subject is entitled to rights of access or rectification or any other rights provided by the data protection legislation. Then, ascertain whether that that right has been asserted and exercised. Then, where the asserted right has been refused or blocked in some way, determine whether the data subject has a remedy and if so what and on what basis. Remedies include access, erasure, rectification, blocking and compensation, among others."

Whose Data? 

The learned Appeal Sheriff observed that the parties and first instance sheriff had narrowed the issue in dispute to a single question. Was the disputed data the personal data of the girl or her father?  In doing so, all concerned appeared to have assumed that the question was binary, that the data could be the personal data of only one or the other.

Not a Binary Question

The Appeal Sheriff explained why that was wrong:

"However, as frequently occurs in practice, any given piece of information may amount to personal data simultaneously of more than one person. See the useful discussion in Jay, Data Protection Law and Practice (5th Edition), at paragraphs 13-033 et seq. Information may inextricably form personal data of two or more persons. In the Novak case for example, the court noted that the personal data sought by Mr Novak was also the personal data of the examiner. In DB v General Medical Council [2019] 1 WLR 4044, , the independent expert report obtained by the GMC regarding the competence of a GP's treatment, sought by the patient who alleged negligent treatment, was simultaneously the personal data of the patient and the GP (and it might be said, though not argued, that of the author as well). Another example might be a joint bank account statement: that will comprise the personal data of each joint account holder. In this appeal, the Council itself states in its submission, correctly, that the disputed data was also that of the head teacher. The legislation itself makes specific provision for access rights in such cases of mixed personal data: see Articles 5 and 15 of GDPR and Schedule 2, Part 3, paragraph 16 to the 2018 Act. See also paragraph 17 of Part 3 for specific provision made in the case of education officials (such as risk assessor in this case) which removes the reasonableness test as regards the disclosure of that education official's personal data in certain circumstances."

He concluded that it cannot be said that if the information comprised the personal data of the child, it could not also be the personal data of her father.

It was obvious that the risk priority rating for emotional well-being was the girl's, but it was also her father's in the particular circumstances of the case.  The sheriff found after hearing evidence that the purpose of the data was not only to inform the council's employees’ decisions regarding the safety and well-being of the child, it was also to satisfy her father that those matters were being adequately dealt with by the council's officers.

Comment

The fact that the same data may relate to more than one data subject is often used as a reason for withholding data on a subject access request.   This decision makes clear that such excuses cannot be relied upon.  That does not mean that third-party rights can be overridden.  They have to be protected by redaction or otherwise.

Anyone wishing to discuss this article may call me on 020 7404 5252 during normal UK office hours ot send me a message through my contact form at any time. 

Construction of art 82 (1) GDPR: Case C‑590/22 AT and another v PS GbR and others

Wesel Court House

Author KingKurt  Licence CC BY-SA 4.0  Source Wikimedia Commons

 

Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, K. Lenaerts, President of the Court, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges) Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536

This was a request by the Wesel Amtsgericht for a preliminary ruling on the interpretation of art 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’) pursuant to art 267 of the Treaty on the Functioning of the European Union.  The request was made in proceedings between AT and BT against PS Gesellschaft bürgerlichen Rechts ("PS GbR") and its members for compensation for the disclosure of their personal data to third parties without their consent as a result of an error by the firm.

The Proceedings

PS GbR was a tax consultancy, and AT and BT were two of its clients.  AT and BT instructed PS GbR to draw up their tax return.  The consultancy carried out their instructions but sent the return to AT and BT's previous address.  AT and BT recovered the envelope that had contained the tax return but found that it contained only a covering letter and a copy of the return.  The missing documents contained the names, dates of birth, tax identification numbers, religious denominations, bank details, professions, places of work and disability status of AT and BT, as well as their children's personal data.  AT and BT sued PS GbR and its members for €15,000 compensation in the Wesel Amtsgericht, the lowest civil court in the German legal system.

The Reference

The court decided that it could not decide the claim without referring the following questions to the Court of Justice of the European Union:

"(1) Is it sufficient for the establishment of a claim for compensation under Article 82 (1) of [the GDPR] that a provision of [that regulation] serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?
(2) Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82 (1) of the GDPR require an adverse effect of a certain magnitude?
(3) In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established?
(4) Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83 (2) of the GDPR - which, according to the wording, apply only to administrative fines - when assessing compensation for non-material damage under Article 82 (1) of the GDPR?
(5) Must the amount of a claim for compensation for non-material damage under Article 82 (1) of the GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the “commercialisation” (calculated acceptance of administrative fines/compensation payments) of infringements?
(6) Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws [specifying rules] of that regulation?’

Legislative Context

The CJEU considered recitals (85), (146) and (148) and  arts 4 (1), (7), (10) and (12), 79 (1) and 83 (3) and (5) of the GDPR as well as the following paragraphs of art 82:

"1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
......."

Judgment

The CJEU delivered judgment on 20 June 2024 (Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536).

The First and Second Questions

The Court took the 1st and 2nd questions together.  In its view, the Amstgericht was asking whether art 82 (1) should be interpreted as meaning that the mere infringement of the GDPR would be sufficient to give rise to compensation or whether a claimant had also to show that the infringement had led to damage of a sufficient degree of seriousness.  

The CJEU has already held in para [32] of Case C‑300/2 UI v Österreichische Post AG [2023] WLR(D) 221, EU: C:2023:370, [2023] EUECJ C-300/21, ECLI: EU: C:2023:370 and para [34] of Case C‑741/21, GP v juris GmbH [2024] EUECJ C-741/21, ECLI: EU: C:2024:288, EU: C:2024:288 that it is clear from the wording of the article that the existence of ‘damage, whether material or non-material, constitutes one of the conditions for compensation under art 82 (1).  So, too, does the existence of an infringement and of a causal link between that damage and the infringement.  The three conditions are cumulative.

It follows that it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers a right to compensation.  The answer to question 1 is that art 82 (1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

The Third Question

The 3rd question was reframed as to whether art 82 (1) should be interpreted as meaning that a data subject's fear that his or her personal data had been disclosed to third parties without any certainty as to whether that had actually happened is sufficient to give rise to a claim for non-material damage under that article.  

Citing paras [30] and [44] of UI v Österreichische Post AG and para [64] of Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53, the CJEU noted that the concept of ‘non-material damage’, within the meaning of art 82 (1), must be given an autonomous and uniform definition specific to EU law.  

The Court has already held in Case C‑340/21VB v Natsionalna agentsia za prihodite EU: C:2023:986, ECLI:EU: C:2023:986, [2024] WLR(D) 17, [2023] EUECJ C-340/21 and BL v MediaMarktSaturn Hagen-Iserlohn GmbH that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of art 82 (1).  It added that the loss of control over personal data, even for a short period of time, may constitute ‘non-material damage’, within the meaning of art 82 (1), giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight.

A person who considers that his or her personal data has been processed in breach of the relevant provisions of the GDPR and seeks compensation on the basis of art 82 (1)  must therefore prove that he or she has actually suffered material or non-material damage.  However,  a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation.

The CJEU concluded at para [36] that the answer to the 3rd question is that art 82 (1) must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.

The Fourth and Fifth Questions

In the 4th and 5th questions the Amtsgericht asked whether art 82 (1) should be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, it is necessary, to apply the criteria for setting the amount of administrative fines laid down in art 83 mutatis mutandis and that a dissuasive function be conferred on the right to compensation.  The CJEU observed that arts 82 and 83 pursue different objectives. While art 83 determines the "general conditions for imposing administrative fines", art 82 governs the "right to compensation and liability."   The criteria set out in art 83 for the purposes of determining the amount of administrative fines cannot be used to assess the amount of damages under art 82 thereof (see para [57] ) of C‑741/21, GP v juris GmbH).  The answer to the 4th and 5th questions is that art 82 (1) must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83, and, second, to confer on that right to compensation a dissuasive function.

The Sixth Question

In its 6th question, the Amtsgericht was asking whether art 82 (1) must be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, account must be taken of simultaneous infringements of national provisions relating to the protection of personal data, but not intended to specify the rules of that regulation.  The Court ruled that it was not necessary to take account of simultaneous infringements of national provisions that relate to the protection of personal data, but which are not intended to specify the rules of that regulation.

The Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.
2. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.
4. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation."

Comment

As this ruling was delivered after IP completion day, courts in England and Wales, Scotland and Northern Ireland are not bound by it or the principles contained in this judgment.  However, s.6 (2) of the European Union (Withdrawal) Act 2018, as amended, permits courts in those jurisdictions to have regard to it insofar as it is relevant to any matter before them.   This judgment will therefore be cited and considered in cases on the meaning and effect of art 82 of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance)).

Anyone wishing to discuss this case may call me on +44 (0)20 7404 5252 or send me a message through my contact form.

Data Protection Litigation: Pre-action Protocol for Media and Communications Claims

Jane Lambert

 

There has recently been a surge in claims by individuals seeking to enforce their rights under data protection legislation through litigation.  I have appeared in two such claims this week, one in London and another in the Thames Valley.  I have also advised in writing and in conference on several more. A surprising aspect of the surge is that the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 are much more complicated than the Data Protection Act 1998 and the Data Protection Act 1984, which preceded them. Those Acts also provided rights of action, but they were used much less frequently than the present legislation.  Another surprise is the infrequency with which parties refer to the Pre-action Protocol for Media and Communications Claims, even though that protocol applies to all data protection claims.  In both of the cases in which I appeared this week, observance of the protocol would have made a significant difference to the outcome of the litigation.  

Effective Judicial Remedy

Art 79 (1) of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) as modified by The Data Protecion, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) entitles data subjects to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the regulation.  That includes a right under art 82 (1) to compensation from a controller or processor for any material or non-material damage that may arise as a result of such non-compliance.

Pre-action Protocols

Para 1 of Practice Direction - Pre-action Conduct and Protocols states that pre-action protocols explain the conduct and set out the steps the court would normally expect parties to take before commencing proceedings for particular types of civil claims. Para 2 warns that a person who knowingly makes a false statement in a pre-action protocol letter or other document prepared in anticipation of legal proceedings may be subject to proceedings for contempt of court.  Para 3 states that the objectives of pre-action conduct and protocols are to enable parties to disputes to:

"(a) understand each other’s position;
(b) make decisions about how to proceed;

(c) try to settle the issues without proceedings;
(d) consider a form of Alternative Dispute Resolution (ADR) to assist with settlement;
(e) support the efficient management of those proceedings; and
(f) reduce the costs of resolving the dispute."

Para 4 stresses that a pre-action protocol must not be used by a party as a tactical device to secure an unfair advantage over another party. Only reasonable and proportionate steps should be taken by the parties to identify, narrow and resolve the legal, factual or expert issues.  Para 5 adds that disproportionate costs in complying with any pre-action protocol are likely to be irrecoverable.  Para 6 states that where there is a relevant pre-action protocol, the parties should comply with it before commencing proceedings.  Para 8 reminds parties that litigation should be a last resort. As part of a relevant pre-action protocol, the parties should consider whether negotiation or some other form of ADR might enable them to settle their dispute without commencing proceedings.

Non-compliance with a protocol can be penalized in several ways.  For example, para 16 states that a party at fault may be ordered to pay costs on an indemnity basis or a successful party may be deprived of some or all of his or her costs.

Pre-action Protocol for Media and Communications Claims

Although it is not listed among the "Protocols in Force" in para 18 of PD-Pre-action Conduct and Protocols, para 1.1 of the Pre-action Protocol for Media and Communications Claims states that it applies to data protection claims, including those brought by litigants in person. If a party to a claim becomes aware that another party is a litigant in person, he or she should send a copy of the protocol to the litigant in person at the earliest opportunity.

The aims of the protocol listed in para 2.1 are similar to those of the practice direction, namely enabling parties to prospective claims to:

"(a) understand and properly identify the issues in dispute and to share information and relevant documents;
(b) make informed decisions as to whether and how to proceed;
(c) try to settle the dispute without proceedings or reduce the issues in dispute;
(d) avoid unnecessary expense and control the costs of resolving the dispute; and
(e) support the efficient management of proceedings where court proceedings cannot be avoided."

Para 3.1 requires intending claimants to notify intended defendants of their claims in writing at the earliest reasonable opportunity.   They are also reminded of the need for proportionality in formulating both the letter of claim and response in para 2.2:

"In formulating both the Letter of Claim and Response and in taking any subsequent steps, the parties should act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached."

The following information should be included in the letter of claim: 

• the name of the claimant;
• the nature of and basis for the entitlement to the remedies sought by the claimant;
• any facts or matters relevant to England and Wales being the most appropriate forum for the dispute; and
• details of any funding arrangement in place.

Para 3.4 adds that letters of claim in data protection cases should also include:

•  "any further information necessary to identify the data subject;
• the data controller to which the claim is addressed;
• the information or categories of information which is claimed to constitute personal data including, where necessary, the information which is said to constitute sensitive personal data or to fall within a special category of personal data;
• sufficient details to identify the relevant processing;
• the identification of the duty or duties which are said to have been breached and details of the manner in which they are said to have been breached, including any positive case on behalf of the Claimant;
• why the personal data ought not to be processed/further processed, if applicable;
• the nature and any available details as to any particular damage caused or likely to be caused by the processing/breach of duty complained of; and
• Where a representative data protection claim is intended to be brought on behalf of data subjects, the letter of claim should also: set out the nature of the entity which intends to bring the claim and explain how it fulfils the relevant suitability criteria – see Article 80 of the General Data Protection regulation (GDPR); include details of the data subjects on whose behalf the claim would be brought; and, confirmation that they have mandated the representative body to represent them and receive compensation, where applicable."

Defendants are required by para 3.6 to provide a full response to the letter of claim, as soon as reasonably possible. If a defendant believes that he or she will be unable to respond within 14 days (or such shorter time limit as specified in the letter of claim), then he or she should specify the date by which he/she intends to respond.

Para 3.7 requires letters of response to include:

• "whether or to what extent the Claimant’s claim is accepted, whether more information is required or whether it is rejected;
• if the claim is accepted in whole or in part, the Defendant should indicate which remedies it is willing to offer;
• if more information is required, then the Defendant should specify precisely what information is needed to enable the claim to be dealt with and why;
• if the claim is rejected, then the Defendant should explain the reasons why it is rejected, including a sufficient indication of any statutory exemptions or facts on which the Defendant is likely to rely in support of any substantive defence;
• in a defamation or malicious falsehood claim, the defamatory or false imputation(s) the Defendant contends was conveyed by the statement complained of, if any; and
• where the Claimant to a proposed action has indicated his/her intention to make an application to bring the claim anonymously, the Defendant should indicate whether the Defendant accepts such an order would be appropriate and give an indication of the basis for the Defendant’s position."

Para 3.8 reminds parties that litigation should be a last resort, while para 3.9 suggests the following options for parties to data protection disputes:

"(a) without prejudice discussions and negotiations between the parties;
(b) mediation – a form of facilitated negotiation assisted by an independent neutral third party; [and]
(c) early neutral evaluation (ENE) – a third party giving an informed opinion on the dispute (for example, a lawyer experienced in the field of [data protection] or an individual experienced in the subject matter of the claim)......."

Para 3.10 mentions the need to consider offers under CPR Part 36.  If a dispute is not settled, para 3.11 encourages parties to undertake a further review of their respective positions, to consider the state of the papers and the evidence in order to see if proceedings can be avoided and, at least, narrow the issues between them which can assist efficient case management.  

Finally, parties are referred to other provisions which they might find useful, such as CPR Part 25: Interim Remedies and Security for Costs and CPR PD48 paragraphs 3.1 and 3.2: Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 Relating to Civil Litigation Funding and Costs.

Further Information
Anyone wishing to discuss this article further may call me on 020 7404 5252 during UK office hours or send me a message through my contact form at any time.

IC fines Data Controller more than £1.2 million for Infringing Art 5 (1) (f) UK GDPR

 

Jane Lamebert

LastPass UK Ltd Penalty Notice 20 Nov 2025

By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered  LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").

The Obligation

Art 5 (1) (f) of the UK GDPR provides:

"Personal data shall be

................

(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".

Art 32 (1) amplifies the above duty:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

The Infringement

The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.  

The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password.  Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.

Enforcement

S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.

Appeal

Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.

Civil Liability

In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).

Further Information

Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form. 

Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch

Author Roger Harris  Licence CC BY 3.0  Source  UK Parliament

Jane Lambert

In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill.  Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services.  The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election.  However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto.  In her speech, she said:

"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025.  I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules.   The first of those parts is headed "Access to customer data and business data" and consists of 26 sections.  It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.  

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader.  It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request.  It could be information about 

• prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person, 
• how they are used by the customer or other person, or 
• their performance or quality when used by the customer or another person.

Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description.  “business data”, in relation to a trader, means information:

• about goods, services and digital content supplied or provided by the trader,
• relating to the supply or provision of goods, services and digital content by the trader, such as 
• where goods, services or digital content are supplied or provided, 
• prices or other terms on which they are supplied or provided, 
• how they are used, or 
• their performance or quality,
• relating to feedback about the goods, services or digital content (or their supply or provision), and
• relating to the provision of information described above to a person in accordance with data regulations.

There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made.  There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years.   Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time. 

Further Information

Jane Lambert  Data (Use and Access) Act 2025: Structure 26 Dec 2025