As opposed to the fine provided for under Article 83, damages for a violation of the GDPR do not have a punitive but a compensatory function. Therefore, the pecuniary compensation to which the user is entitled under Article 82 must ensure – without exceeding it – full compensation for the actual damage suffered, regardless of the seriousness of the infringement.

This is what the CJEU ruled in the December 21 judgement (Third Chamber, C-667/21), in accordance with Advocate General Campos Sánchez-Bordona’s Opinion.

The Court also clarified that the data controller’s fault is presumed. It follows that, once the 3 traditional elements required under Article 82 for the purposes of compensation are proved (i.e. a violation of the Regulation, a damage, and a causal link between the former and the latter), it is up to the data controller to demonstrate that the damaging event is in no way attributable to him.

Even though he eventually reaches the same conclusion, Advocate General uses a different paradigm. According to him, and in light of the wording of Article 82 and the preparatory works, the GDPR has opted for a system of liability detached from the fault. Instead, it assumes that the processing of personal data is a source of risk. The processing parties should therefore assess those risks and take the appropriate measures to prevent and minimize them. In any event, the acceptance of such risks must in no way make the controller pay compensation for the damage resulting from actions that are exclusively attributable to the data subject.

The Court concludes highlighting that such a mechanism of fault-based liability accompanied by the reversal of the burden of proof allows to strike a balance between the interests of data controllers and the rights of individuals whose data are processed, in accordance with the objectives pursued by the Regulation, namely the development of the digital economy while also maintaining a high level of protection for the data subjects.

One may however argue that such balance tips more in favor of a high-level protection for the user, considering that even the slightest negligence is sufficient to establish the controller’s liability, and the low degree of gravity cannot reduce the amount of damages owed by the latter.

For more information do not hesitate to contact us at the following e-mail address: [email protected].

Emanuela Doria

Jeanne Deniau

Marco Amorese