GDPR compensation and culpability

Analysis of the ECJ ruling C-667/21 of 21 December 2023

Legal context and key issues

The ECJ dealt with the question of the lawfulness of the processing of an employee's health data by a medical service that is also the employer of the person concerned. It focussed on the interpretation of the GDPR, in particular the application of Article 9 (processing of special categories of personal data), its relationship to Article 6 (lawfulness of processing) and Article 82 (liability and right to compensation). The focus was on balancing the data protection of employees against the legitimate interests and obligations of the employer.

Important aspects of the judgement

• No unwritten criteria: The ECJ confirmed that the statutory authorisation for medical services pursuant to Art. 9 para. 2 letter h, para. 3 GDPR, Section 275 para. 1 SGB V is also applicable if they are also the employer of the data subject. The processing of health data to assess an employee's ability to work falls under the exceptions provided for in the GDPR, provided that the specific requirements are met. A (further) unwritten restriction of the processing authorisation cannot be added to the wording of Art. 9 GDPR.
• Additional data protection requirements: The ECJ found that Art. 9 para. 3 GDPR does not provide for any additional requirements regarding colleagues' access to health data. However, national legislation could require stricter data protection measures if the data processing authorisation can still be used in practice. In addition, Art. 32 para. 1 lit. a and b, Art. 5 para. 1 lit. f GDPR may require protective measures to be taken.
• Link between Art. 9 and Art. 6 GDPR: The Court emphasised that lawful data processing must fulfil both the specific requirements of Art. 9 and the general requirements of Art. 6.
• Character of the claim for damages: The ECJ clarified that damages pursuant to Art. 82 GDPR are purely compensatory and not punitive in nature. This has a significant impact on the assessment and calculation of damages in practice.
• Fault-based liability: The liability of the responsible party presupposes fault. The reversal of the burden of proof is interesting here, according to which the responsible party must prove that no fault can be attributed to them. It is also worth noting that the degree of fault should not affect the amount of compensation. This emphasises the importance of careful data processing practices.
• No reduction of claim in case of contributory negligence? The Court's statements can be read to mean that contributory negligence on the part of the person concerned does not reduce the claim for damages.

Implications for practice

• Scope of data processing authorisations: Data processing authorisations based on opening clauses of the GDPR apply within the scope of their wording and national law. There can be no unwritten restrictions on the scope of an applicable national law based on the GDPR. Additional conditions in national laws may also not go so far as to make a data processing authorisation provided for in the GDPR de facto impossible.
• Data protection compliance: The ruling emphasises the need to comply with both specific and general data protection requirements when processing data. The ruling emphasises that data protection compliance requires a double check - both regarding specific and general requirements of the GDPR.
• Compensation claims: The judgement has a significant impact on the handling of compensation claims. The compensatory nature of damages limits the financial responsibility of the responsible party to the actual damage incurred. However, even the slightest negligence is sufficient for a claim to arise. And it is unlikely that contributory negligence on the part of the person affected will be able to reduce the claim.