This document is an excerpt from the EUR-Lex website
Document 62021CC0667
Opinion of Advocate General Campos Sánchez-Bordona delivered on 25 May 2023.#ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts.#Request for a preliminary ruling from the Bundesarbeitsgericht.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Conditions for lawful processing – Article 9(1) to (3) – Processing of special categories of data – Data concerning health – Assessment of an employee’s working capacity – Health insurance medical service processing data concerning the health of its own employees – Conditions for such processing and whether permissible – Article 82(1) – Right to compensation and liability – Compensation for non-material damage – Compensatory function – Impact of negligence on the part of the data controller.#Case C-667/21.
Opinion of Advocate General Campos Sánchez-Bordona delivered on 25 May 2023.
ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts.
Request for a preliminary ruling from the Bundesarbeitsgericht.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Conditions for lawful processing – Article 9(1) to (3) – Processing of special categories of data – Data concerning health – Assessment of an employee’s working capacity – Health insurance medical service processing data concerning the health of its own employees – Conditions for such processing and whether permissible – Article 82(1) – Right to compensation and liability – Compensation for non-material damage – Compensatory function – Impact of negligence on the part of the data controller.
Case C-667/21.
Opinion of Advocate General Campos Sánchez-Bordona delivered on 25 May 2023.
ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts.
Request for a preliminary ruling from the Bundesarbeitsgericht.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Conditions for lawful processing – Article 9(1) to (3) – Processing of special categories of data – Data concerning health – Assessment of an employee’s working capacity – Health insurance medical service processing data concerning the health of its own employees – Conditions for such processing and whether permissible – Article 82(1) – Right to compensation and liability – Compensation for non-material damage – Compensatory function – Impact of negligence on the part of the data controller.
Case C-667/21.
Court reports – general – 'Information on unpublished decisions' section
ECLI identifier: ECLI:EU:C:2023:433
CAMPOS SÁNCHEZ-BORDONA
delivered on 25 May 2023 ( 1 )
Case C‑667/21
ZQ
v
Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
(Request for a preliminary ruling
from the Bundesarbeitsgericht (Federal Labour Court, Germany))
(Reference for a preliminary ruling – Protection of personal data – Personal data concerning health – Assessment of the working capacity of an employee – Medical service of a health insurance fund – Processing of personal data concerning employee health – Right to compensation for damage – Effect of the degree of fault)
1. |
This reference for a preliminary ruling concerns the interpretation of Regulation (EU) 2016/679 ( 2 ) as regards (a) the processing of personal data concerning health, and (b) compensation for damage suffered as a result of an (alleged) breach of the GDPR itself. |
2. |
Although the Court of Justice has already ruled on the provisions of the GDPR ( 3 ) relating to those matters, the questions raised in this reference for a preliminary ruling have not been addressed before, with the exception of the fourth question. ( 4 ) |
I. Legal framework
A. European Union law. The GDPR
3. |
Recitals 4, 10, 35, 51 to 54 and 146 of the GDPR are relevant to this dispute. |
4. |
Under Article 9 (‘Processing of special categories of personal data’): ‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: …
…
… 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. 4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’ |
5. |
Article 82 (‘Right to compensation and liability’) states: ‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. … 3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. …’ |
B. National law. Sozialgesetzbuch Fünftes Buch ( 5 )
6. |
The first sentence of Paragraph 278(1) provides that a medical service ( 6 ) of the health insurance funds ( 7 ) is to be established as a body governed by public law in every federal state. One of its tasks, conferred on it by law, is to draw up reports designed to remove doubts as to insured persons’ incapacity for work. |
7. |
Under point 3(b) of the first sentence of Paragraph 275(1), in certain circumstances, the KV are required – in the event of an insured person’s incapacity for work as attested by a medical certificate – to request a report from the relevant MDK designed to remove doubts as to that person’s incapacity for work. |
II. Facts, dispute and questions referred for a preliminary ruling
8. |
In 1991, ZQ took up employment with the MDK of North Rhine (Germany) as a system administrator in the IT department and on the helpdesk. |
9. |
The MDK draws up reports on the incapacity for work of insured persons of the KV, which may include reports concerning the health of the MDK’s own employees. |
10. |
Data processing is governed, inter alia, by the following rules set out in an internal operating manual: ( 8 )
|
11. |
After the records have been filed, the employees of the ‘IT Department’ of the ‘Special Cases’ organisational unit are able, subject to a statutory duty of confidentiality, to access reports drawn up pursuant to a request relating to the MDK’s employees. |
12. |
ZQ had been continuously ill and incapacitated for work since 22 November 2017. |
13. |
As from 24 May 2018, ( 10 ) ZQ received sickness benefits paid for by the KV which insured him. On 6 June 2018, the KV requested a report from the MDK in order to remove doubts as to ZQ’s incapacity for work. |
14. |
The MDK accepted the request, which it assigned to the ‘Special Cases’ unit. On 22 June 2018, a doctor from that unit, employed by the MDK, issued a report containing ZQ’s diagnosis. In order to draw up that report, the doctor spoke to ZQ’s general practitioner by telephone and gathered relevant information from him. |
15. |
The MDK filed the report electronically. |
16. |
ZQ’s general practitioner informed him of the telephone call from the MDK’s doctor. |
17. |
On 1 August 2018, ZQ contacted a work colleague in the MDK’s IT department and asked her whether a report had been filed concerning him. After searching the files, ZQ’s colleague responded in the affirmative. At ZQ’s request, she took photographs of the report and sent them to him. |
18. |
On 15 August 2018, ZQ unsuccessfully sought compensation from the MDK in the amount of EUR 20000 on the basis of Article 82 of the GDPR. |
19. |
On 17 October 2018, ZQ brought an action before the Arbeitsgericht Düsseldorf (Labour Court, Düsseldorf, Germany). In that action, he also claimed compensation equivalent to lost earnings. ( 11 ) |
20. |
During the court proceedings, the MDK terminated its employment relationship with ZQ. |
21. |
ZQ’s claims were dismissed both at first instance and on appeal. ( 12 ) |
22. |
ZQ brought an appeal before the Bundesarbeitsgericht (Federal Labour Court, Germany), which has referred the following questions to the Court of Justice:
|
III. Procedure before the Court of Justice
23. |
The request for a preliminary ruling was received at the Court on 8 November 2021. |
24. |
Written observations were submitted by ZQ, the MDK, the Irish and Italian Governments and the European Commission. |
25. |
It was not considered necessary to hold a hearing. |
26. |
In accordance with the instructions given by the Court, this Opinion will not address the fourth question referred for a preliminary ruling. ( 13 ) |
IV. Analysis
A. First question referred
27. |
The referring court enquires whether Article 9(2)(h) of the GDPR prohibits an MDK from processing data concerning the health of one of its employees where those data are a prerequisite for assessing that employee’s working capacity. It thus questions the lawfulness of the processing on the basis of the entity carrying it out. ( 14 ) |
28. |
Article 9 of the GDPR applies to special categories of data, such as data concerning a person’s health. It lays down a general prohibition on the processing of ‘sensitive’ data (paragraph 1) and exhaustively lists the circumstances in which the general prohibition does not apply (paragraph 2). |
29. |
In particular, Article 9(2)(h) of the GDPR includes an exception (to the general prohibition) for the processing of personal data ‘for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment’. |
30. |
In my view, that provision provides sufficient cover for the conduct of the MDK at issue in this case. ( 15 ) It is irrelevant that the controller is, at the same time, the data subject’s employer, since the MDK is not acting as an employer but as the medical service of a KV with which the data subject is insured. ( 16 ) |
31. |
I see no reason to interpret point (h) of Article 9(2) of the GDPR as prohibiting a medical service from processing its employees’ health data for the purpose set out in that point. The usual criteria of interpretation suggest the opposite (non-existence of such a prohibition). |
32. |
From a literal standpoint, Article 9(2)(h) of the GDPR does not contain such an exclusion, nor does it require as a condition for processing that the controller be a ‘neutral third party’. ( 17 ) |
33. |
The legislative history and the development of the provision also do not point to a prohibition such as that mentioned in the first question referred for a preliminary ruling or disclose any intention of including such a prohibition. ( 18 ) |
34. |
The purpose of the GDPR rules on the processing of data concerning health is, as the Court of Justice has held, ( 19 ) to afford data subjects greater protection given the particular sensitivity of those data for the fundamental rights at issue. That objective is served by the general prohibition laid down in Article 9(1) of the GDPR, which, however, is not absolute. ( 20 ) |
35. |
In this area, as in others concerning the processing of personal data, the legislature has chosen, after establishing the general prohibition:
|
36. |
In the abstract, there is nothing to prevent the specific safeguards to which I have just referred from prohibiting an MDK from processing data concerning the health of its employees. However, the inclusion of such a prohibition (which the EU legislature chose not to do) does not seem to me to be necessary in order to further the objective mentioned above. |
37. |
I therefore consider that the prohibition which the referring court asks about is not the inevitable consequence of a teleological interpretation of Article 9(2)(h) of the GDPR. |
38. |
Nor do I believe that a systematic interpretation of that provision would have a different outcome, since:
|
39. |
In short, I propose that the first question referred for a preliminary ruling should be answered in the negative (namely that the prohibition in question does not exist in the GDPR), which makes it possible to address the next question. |
B. Second question referred
40. |
If (as I suggest) the answer to the first question referred for a preliminary ruling is in the negative, the referring court enquires whether ‘in a case such as the present one, [there] are … further data protection requirements, beyond the conditions set out in Article 9(3) of the GDPR, that must be complied with, and, if so, which ones’. |
41. |
Broadly speaking, the answer to that question should not be overly problematic. ( 26 ) The Court of Justice has made clear that all processing of personal data must comply with the principles of Article 5 of the GDPR and with one of the conditions for lawfulness set out in Article 6 thereof. ( 27 ) |
42. |
According to the referring court, compliance with the obligation of secrecy (Article 9(3) of the GDPR) would not be sufficient to protect data in circumstances such as those of the present case. It proposes other, complementary measures which, in its view, would be the only measures suitable for that purpose. ( 28 ) |
43. |
I am of the view that, as such, Article 9(3) of the GDPR cannot serve as a basis for those additional measures. Its clear wording (which merely refines a provision already contained in Directive 95/46) ( 29 ) does not support proposals such as that of the referring court. |
44. |
By contrast, those proposals could be covered by Article 9(4) of the GDPR. Under that provision, Member States may impose ‘further conditions, including limitations, with regard to the processing of … data concerning health’. ( 30 ) However, it is not apparent from the order for reference that that occurred in Germany. |
45. |
That said, and for the reasons set out above, the processing of personal data concerning health must be subject, among other principles, to the principle laid down in Article 5(1)(f) of the GDPR and to the obligations deriving therefrom, detailed in Chapter IV of the GDPR. |
46. |
The controller ( 31 ) must also implement appropriate technical and organisational measures to ensure that a specific processing operation complies with the GDPR. General provision is made to that effect in Article 24(1) of the GDPR. |
47. |
In particular, Article 32(1) of the GDPR requires controllers to implement ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ posed to the personal data concerned. |
48. |
Applying those rules to the present case, the MDK’s status as employer vis-à-vis ZQ imposes on it a higher than usual duty of care in relation to the processing of ZQ’s health data, because the risks are also higher. ( 32 ) |
49. |
The MDK is not oblivious to that fact. When, at the request of a KV with which its employee is insured, it draws up reports to remove doubts as to that employee’s (in)capacity for work, it implements a set of specific technical and organisational measures intended to ensure that the processing of personal data concerning health complies with the GDPR. ( 33 ) |
50. |
The assessment of those measures is a matter for the referring court, which may decide, after its assessment, that the measures taken were not sufficient. However, that does not mean that it can be inferred from Article 9 of the GDPR that an MDK is required to refuse automatically any request for a medical report (concerning its employees) from a KV. ( 34 ) |
C. Third question referred
51. |
Assuming that the answer to the first question referred for a preliminary ruling is in the negative, in its third question the referring court enquires whether the exception to the prohibition on the processing of data concerning health ‘depend[s] on the fulfilment of at least one of the conditions set out in Article 6(1) of the GDPR’. |
52. |
In order to answer that question, it is necessary to examine the relationship between Article 9(2) of the GDPR and Article 6 thereof on the lawfulness of processing. The need to comply with the latter article in all processing of data is laid down in the judgments of the Court of Justice cited above. ( 35 ) |
53. |
In particular, in its judgment in Case C‑439/19, ( 36 ) the Court interpreted Article 10 of the GDPR concerning another category of sensitive personal data (relating to criminal convictions and offences) ( 37 ) and found that Article 6 of the GDPR applies in tandem with Article 10. |
54. |
Does the same premiss apply to the personal data referred to in Article 9 of the GDPR? |
55. |
The structure of Articles 9 and 10 of the GDPR is different. Article 10 contains an express reference to Article 6(1) of the GDPR while Article 9 does not. |
56. |
The content of Article 9(2) and Article 10 of the GDPR is also not comparable: Article 10 merely lays down a subjective restriction on processing, while Article 9(2) sets out the purposes (or circumstances) justifying such processing, like Article 6(1). |
57. |
Indeed, the similarities between Articles 6(1) and 9(2) of the GDPR are such that, at first sight, the circumstances listed in the latter appear to be specifications of the conditions listed in the former: they elaborate on them and, at the same time, make them more onerous. |
58. |
The history and development of Article 9 of the GDPR cast doubt, however, on whether the relationship between it and Article 6 can be explained in terms of ‘special law’ and ‘general law’. |
59. |
It is common ground that that interpretation was in fact supported by some Member State delegations. ( 38 ) However, documents concerning the negotiations on Article 9 reveal disagreements not about the reference to Article 6 ( 39 ) but rather about its scope (only paragraph 1 or other paragraphs too?). ( 40 ) In the end, the reference in Article 9 to Article 6 was deleted ( 41 ) and a paragraph similar to the present recital 51 of the GDPR was retained in the preamble. ( 42 ) |
60. |
The notion of cumulation or complementarity between the two provisions is shared by the European Data Protection Committee ( 43 ) and was defended by the Article 29 Working Party ( 44 ) in relation to Article 8 of Directive 95/46. ( 45 ) However, that interpretation is not without its detractors among academic legal commentators and in other relevant circles. ( 46 ) |
61. |
Having regard to the different subparagraphs of Article 9(2) of the GDPR, I am inclined to the view that the relationship between that provision and Article 6 does not really allow for a single answer to be given. Thus:
|
62. |
I therefore consider that, in order to ensure that the processing of sensitive data permitted by Article 9(2)(h) of the GDPR is lawful, it is necessary to ascertain which of the conditions set out in Article 6(1) provides such processing with a legitimate basis in each case. |
63. |
The referring court does not dispute that this is the case, but rather, on the basis of that premiss, denies that the processing carried out by the MDK is justified under Article 6. ( 48 ) |
64. |
At first sight, there does not seem to me to be an order of precedence between the legal bases contemplated in that provision. A more thorough analysis may require a more nuanced approach. ( 49 ) I consider, however, that such an analysis would go beyond what is needed to provide an answer to this reference for a preliminary ruling. ( 50 ) |
65. |
In short, the answer to the third question referred for a preliminary ruling should indicate to the referring court that the exception to the prohibition on processing data concerning health requires the fulfilment of at least one of the conditions set out in Article 6(1) of the GDPR. |
D. Fifth question referred
66. |
The referring court enquires whether ‘the degree of fault on the part of the controller or processor [has] a [bearing on] the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) of the GDPR’ and, in particular, whether ‘non-existent or minor fault on the part of the controller or processor [can] be taken into account in their favour’. |
67. |
The question assumes that the GDPR was infringed ( 51 ) by the controller and asks whether the degree of fault on the controller’s part is relevant for the purposes of quantifying the compensation due for damage caused as a result of that infringement. According to the referring court, it is unclear whether the absence of fault or minor fault on the part of the controller may be regarded as exculpatory evidence. |
68. |
Taken at face value, the question focuses on the quantification of compensation. The accompanying explanations nevertheless generated some confusion as it was unclear whether they were concerned with fault as a condition for attributing liability or as a factor for adjusting the amount of compensation. |
69. |
When asked by the Court of Justice to clarify that ambiguity, the referring court stated that the question related to both aspects but did not provide any further details as to how they were connected to the main proceedings. |
70. |
In the light of that reply, I will answer the questions raised by the referring court after (also) addressing those raised by the MDK concerning the possible involvement of the data subject in the occurrence of the damage. ( 52 ) My analysis comprises three parts.
|
1. Basis for civil liability under Article 82 of the GDPR
71. |
The referring court is of the view that paragraph 1 of Article 82 of the GDPR does not make the civil liability (of the processing manager ( 54 )) conditional on the existence or proof of intent or negligence. It adds that paragraph 3 of that article does not support any other outcome. |
72. |
It is admittedly not clear what model of civil liability the GDPR has opted for and that various interpretations are, a priori, possible. ( 55 ) The referring court’s approach is one of them and is, to my mind, the correct approach. |
73. |
Interpreting Article 82(1) of the GDPR as establishing a system of civil liability that is detached from the fault of the processing manager is, I think, in line with its wording, is directly supported by its travaux préparatoires and, above all, serves the purpose pursued by the provision. It is acceptable in the light of other paragraphs of that provision, as well as the scheme viewed as a whole. |
(a) Literal approach
74. |
The position taken by the referring court is consistent with the wording of Article 82(1) of the GDPR. On the face of it, the right to receive compensation from the controller is tied, without further formality, to the damage suffered as a result of a breach of the GDPR. |
75. |
The remaining paragraphs of Article 82 do not point to any other answer. ( 56 ) In particular, I would not venture to infer a requirement of fault from Article 82(3) based on the word ‘liable’. That word appears only in some language versions of the GDPR, while others, by contrast, use ‘responsible’. In the German-language version, neither Article 82 nor the preamble includes the technical term specific to liability for fault (‘Verschulden’). ( 57 ) |
76. |
A comparison of the different provisions of the GDPR shows that the terminology used is not always unambiguous, with the result that caution must be exercised when drawing inferences from their wording. In the English-language version, for example, the word ‘responsible’ is used to convey a wide range of meanings. ( 58 ) |
77. |
The absence of any reference to the intention or fault of the controller in Article 82 of the GDPR contrasts with the references in Article 83 concerning administrative fines: ‘when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case’ due regard is to be given to the intentional or negligent character of the infringement of the GDPR. ( 59 ) |
78. |
Although the mismatch between the wording used weakens the persuasiveness of the literal approach to interpretation, it at least supports the idea that neither intention nor fault is present in Article 82 of the GDPR and that that omission is deliberate and not the result of an oversight by the legislature. |
(b) Travaux préparatoires
79. |
The discussions on the basis for attributing liability that was ultimately included in the GDPR were obscured by the context in which they took place within the Council, regarding the matter of multiple processing parties. |
80. |
Those discussions were intermingled with procedural considerations and did not consider the distinction between, on the one hand, the function served by fault as a basis for attributing liability and, on the other, the function served by the absence of fault for the purposes of exempting a person from such liability. |
81. |
Nonetheless, I think that the travaux préparatoires support an interpretation of Article 82(1) of the GDPR under which civil liability does not depend on the existence of fault on the part of the controller. |
82. |
The Commission proposal followed the approach taken in Directive 95/46 and did not refer to negligence. A number of Council documents mention that the type of liability envisaged is ‘strict liability’. ( 60 ) |
83. |
An amendment tabled in the Committee on Civil Liberties, Justice and Home Affairs of the Parliament sought to link liability to intent or negligence in the wording of paragraph 1 of Article 82 (then Article 77). ( 61 ) It was not passed. ( 62 ) |
84. |
In the Council, the discussions on Article 77 and the criterion used to attribute liability related to the attribution and allocation of liability where several persons are involved in the same processing operation. In that context, the Presidency offered a choice between two options: ( 63 )
|
85. |
The compromise text submitted by the Presidency for adoption as a general approach ( 71 ) followed the first option, although it emphasised the exceptional nature of the exemption and made it more difficult to prove by wording Article 77(3) in the following manner: ‘… if … it proves that it is not in any way responsible …’. ( 72 ) That wording and the wording of the article which was ultimately adopted are the same. |
86. |
In short, the analysis of the legislative process which led to the final version of the GDPR suggests that the liability referred to in Article 82(1) of the GDPR is not linked to fault on the part of the processing manager. |
(c) Purpose
87. |
The GDPR establishes a system designed to ensure a high level of protection of natural persons while removing obstacles to flows of personal data. ( 73 ) Within that system, Article 82 pursues a compensatory purpose, without prejudice to the fact that it also serves, secondarily, to deter or prevent conduct at variance with its provisions. ( 74 ) |
88. |
Ensuring compensation is an objective in itself: that follows from the importance which the legislature attaches to it and transpires from a simple reading of the text. Under the GDPR, the receipt of compensation where damage has occurred is a right enjoyed by data subjects, the concept of damages must be interpreted broadly, and compensation must be full and effective. |
89. |
Compensation is linked to the aim of enhancing citizens’ confidence in the digital environment, an objective of general application which the GDPR sets out in recital 7. Providing data subjects with the assurance that, as a matter of principle, they will not simply have to bear the consequences of damage resulting from the unlawful processing of their data serves to foster such confidence: their assets are protected and, procedurally, their claims are more straightforward. |
90. |
The fact that Article 82(1) of the GDPR does not tie the compensation obligation to a breach of a duty of care is consistent with that approach. At the legislature’s behest, the compensation obligation falls on whoever occupies a position of guardian or guarantor in the relationship, and precisely because of that fact. |
91. |
It could therefore be said that, under the GDPR, what matters is the situation of the victim who suffers the damage resulting from the infringement, in the absence of a rule requiring the victim to bear the consequences of that damage. |
92. |
Whether or not there was fault on the part of the person who caused the damage is irrelevant to the victim: the decisive factor is that the processing manager caused material or non-material damage to the victim as a result of a breach of the GDPR committed by the processing manager. |
93. |
The objectives described above are more easily achieved under a model which ensures that proven damage:
|
94. |
Against the backdrop of adapting to the digital revolution, ( 75 ) that approach seems to me to be a consistent one. Rapid technological change means that, in the most common data processing activities carried out online, the absence of intent or negligence must not prevent compensation being awarded for damage which would otherwise be left unredressed. |
(d) Scheme
95. |
My proposed interpretation is more in line with the scheme of the GDPR. That is confirmed by Article 82(3): exemption is possible if ‘a controller … proves that it is not in any way responsible for the event giving rise to the damage’. |
96. |
The words ‘not in any way’ stand out in that provision and suggest that the model is not one based on fault (or even very minor fault) with reversal of the burden of proof. |
97. |
If the view is taken that compensation does not depend on the controller’s fault, Article 82 acquires a specific meaning in Chapter VIII and, ultimately, in the GDPR as a whole. |
98. |
The EU legislature assumes that the processing of personal data may be a source of risk. It requires processing parties to assess those risks and to take and update measures to prevent and minimise risks they have identified. ( 76 ) |
99. |
It has been argued that a fault-based civil liability model promotes diligence and, therefore, protection against risks, while the alternative model, which does not take account of a party’s conduct, would discourage that party from exercising caution (because, in the event of damage, he or she would have to pay compensation anyway). |
100. |
I am of the opinion that that outcome ( 77 ) is acceptable under the GDPR. Article 82 is part of a complex regulatory structure which includes public and private law tools to protect personal data. Within that structure, negligence (and intent) are relevant for the purposes of administrative penalties. I see no need for them also to be relevant for the purposes of civil liability, ( 78 ) which would run counter to the objectives of Article 82 and, moreover, would diminish the practical attractiveness of the remedy established by that article. |
2. Effect of the data subject’s involvement
101. |
The questions concerning the need for fault on the part of the controller are related, in the present case, to the possible consequences deriving from the data subject’s involvement. ( 79 ) |
102. |
For a better understanding of the matters set out below, it should be made clear that the circumstances of the dispute have been viewed from two angles:
|
103. |
I consider, in any event, that as the referring court appears to maintain, ( 82 ) recourse must be had to Article 82(3) in order to determine the effect (if any) of the data subject’s conduct on the commission of the infringing act at the root of the damage. |
104. |
That provision does not list, even by way of example, specific grounds for exemption from liability. Nor does recital 146. ( 83 ) |
105. |
The GDPR appears to depart in that regard from Directive 95/46, Article 23(2) of which contained a rule similar ( 84 ) to the current Article 82(3) of the GDPR: recital 55 of Directive 95/46 cited, as examples of grounds for exemption, fault on the part of the data subject and force majeure, ( 85 ) which are not found in the GDPR. |
106. |
Unless I am mistaken, it is not apparent from the travaux préparatoires for the GDPR that there was any discussion of those two examples, which did appear in the Commission proposal ( 86 ) and were retained by the Parliament. ( 87 ) |
107. |
Their deletion and the inclusion of the words ‘not in any way’ occurred during the abovementioned debate on how to regulate liability in the case of processing operations involving multiple managers or processors. ( 88 ) |
108. |
It transpires from the available documentation ( 89 ) that, in the final version, the processing manager would qualify for the exemption if he or she could demonstrate that he or she was in no way responsible for the damage (‘0% responsibility’). The same applied to the processor. ( 90 ) |
109. |
On that basis, I do not think that the disappearance of the two examples in the preamble, alongside the insertion of ‘not in any way’ in the same preamble and in Article 82(3) of the GDPR, has the result (or the aim) of excluding the data subject’s actions from the grounds for exemption from liability. ( 91 ) |
110. |
Rather, it appears that the data subject’s actions are still capable, depending on the circumstances, of breaking the essential link between the ‘event’ (Article 82(3) of the GDPR uses that term) and the controller’s responsibility. Emphasising the restricted nature of the escape clause does not prevent a particular act of the data subject from giving rise, on its own, to damage and, consequently, from triggering the exemption from liability of the processing manager. |
111. |
A systematic interpretation militates in favour of account being taken, in the context of liability for damage, of the data subject’s involvement in causing that damage. In the scheme of the GDPR, individuals have a role to play in the protection of their data and, to that end, they are given tools which are, in themselves, rights. |
112. |
From a teleological point of view, I consider that the GDPR seeks to provide a high level of protection, but not to the extent that it requires the controller to pay compensation also for damage resulting from events or actions attributable to the data subject. ( 92 ) |
3. Calculation of compensation. Effect of the degree of fault on the part of the person liable for the damage
113. |
The referring court confirmed that the fifth question referred for a preliminary ruling concerns whether the degree of fault on the part of the controller affects the calculation of compensation. More specifically, it asks whether the absence of fault or minor fault on the part of the controller may be taken into account in his or her favour. |
114. |
Article 82 of the GDPR says little, if anything, about the key aspects of compensation which would have an impact on its calculation. It provides no guidance to a person interpreting that article on the elements making up such compensation, ( 93 ) on the criteria for assessing (quantifying) those elements, ( 94 ) or the factors which might affect the amount thereof. ( 95 ) |
115. |
Nevertheless, I consider that the GDPR confers on data subjects a right to compensation the amount of which is to be determined on the basis of the damage actually suffered. Once a figure compensating that damage in objective terms has been established, it should not be altered according to the extent of the controller’s negligence. |
116. |
In support of my position, I refer mutatis mutandis to my views on the attribution of liability to the processing manager, irrespective of fault on his or her part, in the scheme of Article 82 of the GDPR. From the perspective of the victim, whose (tangible and intangible) assets must be unimpaired following the occurrence of the damage, compensation for that damage must be paid without it being tied to the fault of the processing manager, regardless of its degree. ( 96 ) |
117. |
I think that the same outcome follows from the conclusion that Article 82 of the GDPR (the travaux préparatoires for which do not offer up any material to support one position or the other) ( 97 ) differs from other EU legal instruments, which expressly distinguish between whether or not a party was ‘knowingly’ involved in the infringement when setting the amount for which compensation may be awarded under the head of civil liability. ( 98 ) |
118. |
In my view, that assessment is supported by two further arguments:
|
V. Conclusion
119. |
In the light of the foregoing considerations, I propose that the Court of Justice reply to the Bundesarbeitsgericht (Federal Labour Court, Germany) as follows: ‘Article 9(2)(h) and (3) and Article 82(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that: it does not prohibit a medical service of a health insurance fund from processing data concerning the health of an employee of that service, where those data are a prerequisite for assessing that employee’s working capacity; it permits an exception to the prohibition on processing personal data concerning health, where such processing is necessary for the purposes of assessing the employee’s working capacity and complies with the principles set out in Article 5 and with one of the conditions for lawfulness laid down in Article 6 of Regulation 2016/679; the degree of fault on the part of the controller or processor does not have a bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) of Regulation 2016/679; the involvement of the data subject in the event giving rise to the compensation obligation may trigger, depending on the circumstances, the exemption from liability of the controller or processor provided for in Article 82(3) of Regulation 2016/679.’ |
( 1 ) Original language: Spanish.
( 2 ) Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).
( 3 ) It has also ruled on Article 8 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), the direct predecessor of Article 9 of the GDPR.
( 4 ) The fourth question is essentially identical to the first question submitted in Case C‑300/21, Österreichische Post (Non-material damage resulting from unlawful processing of data), my Opinion in which was delivered on 6 October 2022 (EU:C:2022:756) (‘Opinion in Case C‑300/21’); the Court of Justice gave judgment on 4 May 2023 (EU:C:2023:370).
( 5 ) Book V of the Social Code.
( 6 ) Medizinischer Dienst der Krankenversicherung (‘MDK’).
( 7 ) Krankenversicherung (‘KV’).
( 8 ) ‘Memorandum on protecting the social data of [the MDK’s] employees and their family members’, summarised in the order for reference, paragraph 6 et seq.
( 9 ) A virtual organisational unit known as the ‘Special Cases’ unit, to which only that unit’s employees have access, was set up within the IT data processing system used internally by the MDK.
( 10 ) As a result of the end (as prescribed by law) of the period during which the MDK continued to pay his salary.
( 11 ) He argued that had it not been for the breach concerning his personal data, he could have returned to work in December 2018.
( 12 ) ArbG Düsseldorf, Urteil vom 22.02.2019 – 4 Ca 6116/18, and LAG Düsseldorf (12. Kammer), Urteil vom 11.03.2020 – 12 Sa 186/19, respectively.
( 13 ) As regards its content, I refer to the judgment of 4 May 2023, Österreichische Post (Non-material damage resulting from unlawful processing of data (C-300/21, EU:C:2023:370).
( 14 ) What follows is without prejudice to the answer to the third question referred for a preliminary ruling.
( 15 ) I think recourse should be had to this provision rather than to Article 9(2)(b) of the GDPR. The processing does not appear to have been necessary (either as regards the MDK as employer or as regards ZQ as employee) for the carrying out of obligations or the exercise of rights in the context of the employment relationship.
( 16 ) The processing of sensitive data as an employer (that is, for purposes linked to the employment relationship) is lawful only if it meets the conditions laid down in the GDPR for processing data for a purpose other than that for which they were collected.
( 17 ) Paragraph 22 of the order for reference. The GDPR does, however, require other characteristics to be met, provided for in Article 9(3) thereof: on their scope, see point 40 et seq. below.
( 18 ) Article 9 of the GDPR has its origins in Article 8 of Directive 95/46. In the Commission proposal (Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final of 25 January 2012; ‘the Commission proposal’), the processing of personal data concerning health was governed by Article 81, which laid down a series of justifications and stated that such processing had to be carried out in accordance with EU or Member State law. Member States were required to establish the necessary safeguards to protect the data subject’s legitimate rights. The content of Article 81 was incorporated into Article 9(2)(h) and (4), as reflected in document No 14270/14 from the Council Presidency to the Working Party on Data Protection of 16 October 2014.
( 19 ) Judgment of 24 September 2019, GC and Others (De-referencing of sensitive data) (C‑136/17, EU:C:2019:773, paragraph 44): ‘… the specific requirements … relating to the special categories of data [have as their] purpose … to ensure enhanced protection as regards such processing, which, because of the particular sensitivity of the data, is liable to constitute, as also follows from recital 33 of [Directive 95/46] and recital 51 of that regulation, a particularly serious interference with the fundamental rights to privacy and the protection of personal data, guaranteed by Articles 7 and 8 of the Charter’.
( 20 ) The fundamental right to the protection of personal data does not automatically override any other right, even when the special categories of Article 9(1) of the GDPR are at stake: judgment of 24 September 2019, GC and Others (De-referencing of sensitive data) (C‑136/17, EU:C:2019:773, paragraphs 66 to 68).
( 21 ) Article 9(3) of the GDPR.
( 22 ) Article 88 of the GDPR allows Member States to adopt ‘more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context’. On the interpretation of that provision, I refer to the judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer (C-34/21, EU:C:2023:270).
( 23 ) That appears to be the view of the referring court. I, for my part, refer to footnote 15 above.
( 24 ) I agree with the Commission that ‘the second paragraph [of Article 9 of the GDPR] does not establish a specific hierarchy or a possible relationship of dependence between the exceptions, which coexist on an equal footing’ (paragraph 13 of its written observations).
( 25 ) There is no requirement, as there was under Directive 95/46, for the processing to be carried out ‘by a health professional subject … to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy’ (emphasis added). The processing must, however, be carried out by persons subject to an obligation of secrecy.
( 26 ) Referring to data that are ‘particularly sensitive in relation to fundamental rights and freedoms’, recital 51 of the GDPR states that ‘in addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing’.
( 27 ) Judgment of 16 January 2019, Deutsche Post (C‑496/17, EU:C:2019:26, paragraph 57), and the case-law cited. As regards sensitive data, judgments of 24 September 2019, GC and Others (De-referencing of sensitive data) (C‑136/17, EU:C:2019:773, paragraph 64), and of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 96, 99, 100 and 102).
( 28 ) Order for reference, paragraphs 25 to 27. It refers to the establishment of two independent cells for ‘special cases’ and of separate IT units to deal with reports on IT employees (like ZQ). The ultimate goal would be to ensure that no employee of the MDK could actually have access to a co-worker’s health data or knowledge of the existence of checks on the latter’s working capacity.
( 29 ) Article 8(3). As I have already explained, the GDPR widened the circle of persons authorised to carry out processing operations.
( 30 ) Paragraph 4 was inserted into Article 9 of the GDPR as a result of a proposal by Germany: document No 6834/15 from the Presidency to the Council of 9 March 2015.
( 31 ) That is how the referring court describes the MDK (paragraph 16 of the order for reference). I will not therefore mention the processor in the remainder of this Opinion unless it is appropriate to do so. In principle, the considerations set out in relation to the controller can be applied to the processor.
( 32 ) The referring court is concerned, in particular, that a security breach, if it were to occur, would result in ZQ’s colleagues finding out about his state of health, which could lead to speculation about his productivity. It adds that information on the mere existence of a medical report concerning incapacity for work is sensitive information in so far as it may suggest the possibility of that incapacity being feigned (paragraph 26 of the order for reference).
( 33 ) See point 10 above.
( 34 ) Paragraph 27 of the order for reference.
( 35 ) See footnote 27 above. On the relationship between Articles 6 and 9 of the GDPR, also see Case C‑252/21, Meta Platforms and others (General terms of use of a social network). The Opinion of Advocate General Rantos was delivered on 20 September 2022 (C‑252/21, EU:C:2022:704).
( 36 ) Judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (EU:C:2021:504, paragraphs 96, 99, 100 and 102).
( 37 ) The content of Article 10 of the GDPR previously appeared in Article 8 of Directive 95/46. The latter grouped all special categories of data together, although it distinguished the processing of data relating to offences, criminal convictions or security measures, which it dealt with in paragraph 5. The formal separation enacted in the GDPR is not due to a change in the belief that personal data relating to criminal convictions or offences are ‘sensitive’ data.
( 38 ) Document No 17072/4/14 Rev 4 from the Council to the Permanent Representatives Committee of 4 March 2015, footnote 60.
( 39 ) Concerning, as in the final version, the lawfulness of the processing.
( 40 ) Document No 17072/4/14 Rev 4 from the Council to the Permanent Representatives Committee of 4 March 2015, Article 9(2) (‘Paragraph 1 shall not apply if one of the following applies and Article 6(1) is complied with …’) and footnote 60.
( 41 ) As from document No 6834/15 from the Presidency to the Council of 9 March 2015.
( 42 ) Which certainly did not assuage the misgivings of all delegations. See, for example, document No 7466/15 from the Presidency to the Delegations of 26 March 2015, footnote 38.
( 43 ) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, April 2020, paragraph 15.
( 44 ) ‘Advice paper on special categories of data’, Ares(2011)444105 – 20/04/2011, p. 5.
( 45 ) That also reflects the Commission’s public view: Minutes of the second meeting of the Commission expert group on Regulation (EU) 2016/679 and Directive (EU) 2016/680, held on 10 October 2016, p. 2, and Minutes of the meeting of the Commission expert group on Regulation (EU) 2016/679 and Directive (EU) 2016/680, held on 20 February 2018, p. 2.
( 46 ) A view in favour of cumulation or complementarity can be found, for instance, in Petri, T., ‘Art. 9’, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 2019, marg. 26, who nevertheless concedes that that view is not a unanimous one. The opposite is suggested in the Handbook on European data protection law of the European Union Agency for Fundamental Rights, 2018, section 4.1.1.
( 47 ) Respectively, where the data subject has given explicit consent, where processing is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent, and where processing is necessary for reasons of public interest.
( 48 ) Paragraphs 30 and 31 of the order for reference.
( 49 ) For example, whether the data subject’s consent, as the legal basis accompanying the authorisation provided for in Article 9(2)(h), must be the explicit consent required by Article 9, or whether the consent set out in Article 6(1)(a) would suffice.
( 50 ) A separate, narrower question is whether, in the light of the referring court’s reasoning in respect of Article 6(1), the meaning of the conditions listed therein should be clarified, in particular those set out in points (c) and (e). In that regard, I refer to the case-law of the Court of Justice: as regards the provisions of Directive 95/46, judgments of 16 December 2008, Huber (C‑524/06, EU:C:2008:724, paragraph 62); and of 30 May 2013, Worten (C‑342/12, EU:C:2013:355, paragraph 37); as regards the GDPR, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 66 et seq.).
( 51 ) The referring court is inclined to find that Articles 9 and 6 of the GDPR were infringed as a consequence of the processing carried out by the MDK. In paragraph 32 of the order for reference, it states that the infringement in itself gives rise to a right to compensation; in paragraph 33, it insists that infringement automatically translates into damage (‘the very infringement of the GDPR causes non-material damage giving rise to a right to compensation’). For the reasons set out in my Opinion in Case C‑300/21, I disagree.
( 52 ) Paragraphs 78 to 80 of the MDK’s observations. According to the MDK, it was none other than the data subject who caused the damage to himself by not requesting the records and not exercising his right of access vis-à-vis the MDK under Article 15 of the GDPR, and by instead resorting to the services of a colleague in his unit, leading to the data in question being consulted. In the same vein, see the judgment handed down on appeal by the LAG Düsseldorf (12. Kammer), Urteil vom 11.03.2020 – 12 Sa 186/19, paragraph 4.3.4.3.
( 53 ) The employee, who worked in the same department as the data subject, accessed the data in circumstances other than those in which such access is permitted, that is, for purposes other than the performance of work under her contract.
( 54 ) In the remainder of this Opinion, I will use the term ‘manager’ interchangeably as a synonym for ‘controller’.
( 55 ) Leaving aside the voices claiming that this is an unregulated matter, opinions differ between those in favour of a system of strict liability and those in favour of fault-based liability with reversal of the burden of proof. The fact of the matter is that, as in the case of other sectoral (civil) liability systems, I do not think that the GDPR is an exact match for either of the two main theoretical paradigms, the boundaries of which are also rather blurry. The wording of the GDPR suggests that it could fit within both, with nuances that ultimately obscure the models: in the first, due to the high standard of care that would have to be proven in order to avoid liability; in the second, due to the introduction of care/negligence tests in the grounds for exemption, or when a finding of breach is made, depending on the nature of the rule at issue.
( 56 ) Paragraph 2, which may be construed as the antithesis of paragraph 1 in that it considers the issue of liability from the perspective of the obligors, also does not mention any requirement of fault.
( 57 ) In the Spanish-language version, however, the word ‘imputable’ is used in Article 47(2)(f) of the GDPR, which, in relation to the information on which it makes the approval of binding corporate rules contingent, refers to the exemption from liability in groups of companies established inside and outside the Union. The German-language version uses a periphrasis (‘dem betreffenden Mitglied nicht zur Last gelegt werden kann’).
( 58 ) See Articles 82(3), 68(4) and 75(6).
( 59 ) Article 83(2)(b) and (3). My view on the interpretation of that provision is set out in my Opinion in Case C‑807/21, Deutsche Wohnen (EU:C:2023:360).
( 60 ) For example, document No 17831/13 from the Council Presidency to the Working Party on Data Protection of 16 December 2013, footnote 542.
( 61 ) Amendment No 2819, tabled by S. Ilchev, Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), document PE501.927v04-00, Amendments (9): ‘Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered unless the controller or processor proves that they are not responsible for the damage either by intent or negligence’. Emphasis added.
( 62 ) See the text accompanying the legislative resolution of 12 March 2014 on the Commission proposal (OJ 2017 C 378, p. 399).
( 63 ) Document No 9083/15 from the Presidency to the JHA Counsellors of the Working Party on Data Protection of 27 May 2015. The difference between the options revolves around Article 77(3) to (6). Paragraph 1, which establishes the principle of the liability of the controller and processor, and paragraph 2, which sets out the material scope of their liability, delimiting that of the processor, were the same.
( 64 ) Loc. cit., paragraph 5.
( 65 )
( 66 ) Or, in the case of the processor, where he or she has failed to comply with instructions given by the controller in accordance with the GDPR.
( 67 ) Subject to the possibility of subsequent recovery: first option, Article 77(6).
( 68 ) Document No 9083/15 from the Presidency to the JHA Counsellors of the Working Party on Data Protection of 27 May 2015, paragraph 7. Liability for fault had been openly mooted by the United Kingdom delegation. In the light of its arguments, a question to that effect was put to the other delegations (document no 7722/15 from the Presidency to the Working Party on Data Protection of 13 April 2015, paragraphs 10 and 11). The option that was ultimately put forward appears to follow the compromise drafted by the German delegation (document No 8150/1/15 Rev 1 of 6 May 2015), which distinguished between the controller/processor-data subject relationship and the controller-processor relationship and opted for the attribution of liability based on negligence or fault in respect of the latter: ‘liability follows fault, meaning that a party is only liable if he/she has intentionally or negligently acted contrary to his duties laid down in this Regulation’. As far as the data subject is concerned, the absence of negligence would give rise to exemption from liability.
( 69 ) Loc. cit., paragraph 6, which ends as follows: ‘In other words, the mere fact that an entity was involved in a non-compliant processing operation which caused damage suffices for it to be held liable for the full amount of damages’.
( 70 ) Article 77(4a), under this option: ‘If a data subject is not able to bring a claim for compensation against the controller …’.
( 71 ) Document No 9565/15 from the Presidency to the Council of 11 June 2015.
( 72 ) Emphasis added. Alongside this addition, the examples of grounds for exemption in recital 118 are deleted: see point 104 et seq. below.
( 73 ) Recital 10 of the GDPR.
( 74 ) I refer to my Opinion in Case C‑300/21. As I pointed out in that Opinion, the legislature seeks to encourage the private enforcement of the rules on the protection of personal data. To that end, Chapter VIII of the GDPR equips data subjects with a number of tools. Compensation for civil liability is one of them, but it has no punitive functions.
( 75 ) That was one of the arguments for going beyond Directive 95/46 in the Commission proposal.
( 76 ) Recital 77 et seq. of the GDPR.
( 77 ) The following should be clarified: liability has a preventive function in so far as it affects a party’s decisions as to the level of activity to be carried out. My proposed interpretation makes it possible to link Article 82 of the GDPR to processing principles such as purpose limitation, data minimisation and accuracy (Article 5(1)(b), (c) and (d) of the GDPR).
( 78 ) Making negligence the criterion used to attribute liability.
( 79 ) See footnote 52 above.
( 80 ) That is the position of the referring court (see footnote 51 above). According to the referring court, the data subject’s involvement in requesting that his data be consulted should have no bearing on the attribution of liability. It may, however, be relevant for the purposes of quantifying compensation.
( 81 ) That is the position of the MDK and the appellate court (see footnote 52 above). In actual fact, it could be argued that, in that second situation, the ‘damage’ component is missing: volenti non fit iniuria.
( 82 ) Paragraph 40 of the order for reference.
( 83 ) Unlike other sectors (e.g. product liability), the enumeration of the grounds for exemption in the GDPR does not take the form of an exhaustive list.
( 84 )
( 85 ) The controller ‘may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure’. Emphasis added.
( 86 ) Recital 118 of the Commission proposal.
( 87 ) Recital 118 of the text accompanying the Parliament’s legislative resolution of 12 March 2014 on the Commission proposal.
( 88 ) Point 84 above et seq. The examples appeared in documents relating to the negotiations in the Council but no longer appeared in the compromise text, document No 9565/15 of 11 June 2015.
( 89 ) I refer in particular to document No 9083/15 from the Presidency to the JHA Counsellors of the Working Party on Data Protection of 27 May 2015.
( 90 ) Given the context (I repeat, the special focus on cases involving multiple processing parties), it may be inferred that one possibility in that respect would be for the controller to prove that the damage resulted exclusively from the actions of the processor, and vice versa for the processor.
( 91 ) Nor does force majeure, which was the other ground expressly mentioned in recital 55 of Directive 95/46 (see point 105 above).
( 92 ) I do not, of course, prejudge situations involving third parties. In that regard, see the Opinion of Advocate General Pitruzzella delivered on 27 April 2023 in Natsionalna agentsia za prihodite (C-340/21, EU:C:2023:353).
( 93 ) In order to dispel the doubts which existed under Directive 95/46, the GDPR makes clear that it covers non-material damage. Recital 146 refers to ‘any damage’ and states that the concept of ‘damage’ is to be interpreted broadly in the light of the case-law of the Court of Justice. The precise scope of that statement is still the topic of debate.
( 94 ) It does not indicate whether, in order to determine the value of the damage in each case, scales, lump sums or other calculation systems should be used.
( 95 ) Those factors might include: (a) the factor suggested by the referring court; (b) the existence of fault on the part of the data subject, as MDK claims in paragraph 80 of its observations; (c) other factors, such as the introduction of quantitative ceilings on compensation to avoid unjustifiably discouraging data processing operations or economic activities which depend on such operations.
( 96 ) Point 87 above et seq.
( 97 ) Directive 95/46 made no provision in that regard. I have found no evidence of discussions on this point in the travaux préparatoires for the GDPR.
( 98 ) See Council Regulation (EC) No 2100/94 of 27 July 1994 on Community plant variety rights (OJ 1994 L 227, p. 1), Article 94(2); and Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ 2004 L 157, p. 45), Article 13, recital 26.
( 99 ) Article 83(2)(b) and recital 148 of the GDPR. It is against that background that account is taken of the criterion of proportionality, not only as regards the event, but also as to whether the fine places a disproportionate burden on a natural person. In paragraph 54 of its observations, the Government of Ireland suggests that that criterion should be applied to civil liability. Again, there are no textual arguments to support the proposition that that criterion forms an integral part of Article 82. Nor does the drafting history or the purpose of the provision or its overall function furnish such support.
( 100 ) Effective compensation must be capable of fulfilling compensation’s function of safeguarding the right to data protection.
( 101 ) All are civilly liable under Article 82(2) and (3) of the GDPR. They are liable for the whole amount irrespective of the extent of their contribution to the damage.
( 102 ) I do not rule out the possibility that other circumstances might justify a reduction of the amount: I am thinking, for example, of individual cases in which the right to compensation (and, by extension, the right to data protection) is weighed against other assets or rights of the same rank. In the GDPR, the adjective full also serves to ensure that a certain type of damage (non-material damage) is covered; to prevent compensation being limited to consequential damage (it should include other heads, as the Court of Justice has pointed out in other areas); and to ensure that the involvement of multiple parties in a processing operation does not make access to compensation more difficult, but rather more straightforward.