The General Data Protection Regulation (GDPR) grants a right to compensation to data subjects whose personal data have been unlawfully processed. But how is this claim asserted and calculated in practice? And what role does the fault of the controller or processor and the conduct of the data subject play? These questions are currently before the European Court of Justice (ECJ) in a preliminary ruling from Germany.
We clarify whether the general requirements (e.g. Art. 6(1), 24, 32 GDPR) apply alongside the specific regulations (Art. 9(2), (3) GDPR) - the answer is generally yes, but depends on the individual case. We also explain that there is strict liability for damages under the GDPR. It is also interesting to note that data subjects can claim damages even if they caused the breach of the GDPR. Thereby, the damages are not reduced in case of contributory negligence. Finally, we clarify that there are no unwritten restrictions on the processing of medical data under Art. 9(3) GDPR.
The case concerns an employee (ZQ) of the Medical Service of the Health Insurance Fund (MDK), about whom the MDK prepared an expert opinion on his incapacity to work on behalf of the competent health insurance fund. Actually, ZQ could and should have been assessed by a third party according to a service instruction of the MDK. ZQ found out about the report by chance. He had a colleague look at the report. ZQ was dissatisfied with the preparation and storage of the report at the MDK. He demanded damages from the MDK in the amount of 20,000 euros for violation of his rights under the GDPR. ZQ claimed that the MDK had processed his health data without his consent and without any other legal basis. The MDK could not invoke the "normal" legal basis for MDK expert opinions, as it was an employer in a personal capacity (cf. Art. 9 para. 2 lit. h GDPR, § 275 para. 1 sentence 1 no. 3 lit. b German Social Code V (SGB V)) and there had been no obstacles to having the expert opinion prepared by third parties. The MDK was also not allowed to store the expert opinion, as employers do not receive the expert opinion (see § 277 para. 2 sentence 1 SGB V). In this respect, it was also necessary to go beyond Article 9(3) of the GDPR and require that the persons authorised to process the data are not colleagues of the data subject. Moreover, in addition to Art. 9 of the GDPR, a reason for processing according to Art. 6 (1) of the GDPR was required. The MDK rejected the request and argued that it had processed the data on behalf of the health insurance fund. Moreover, ZQ had caused the damage himself by instructing a colleague to retrieve the expert opinion for him.
The Federal Labour Court hearing the case referred several questions to the ECJ on the interpretation of the GDPR, which are of importance for all those who process personal data.
The BAG asked five interesting questions. One of them - whether the General Data Protection Regulation provides for damages without compensation - was not answered, as the Court of Justice has already answered this question in the negative. The other questions are ordered according to their practical importance:
The first three questions for a preliminary ruling concern the relationship between the rules on the processing of sensitive data (Art. 9(2) GDPR in general and there lit. h in particular) and the general processing rules (e.g. Art. 6, 32 GDPR). The Advocate General is of the opinion that certain exceptions to the prohibition of processing personal data are directly related to a specific legal basis of the GDPR and incorporate this legal basis. However, other exemptions under Art. 9(2) GDPR require an additional justification under Art. 6(1). According to the Advocate General, the processing of health data under Art. 9(2) must therefore also comply with the general principles and other provisions of the GDPR, in particular the principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. The controller would have to take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. According to Art. 32 of the GDPR, measures to protect ZQ that went beyond the normal level were necessary in order to protect the data from access by his colleagues. In addition, the processing of health data must be based on one of the conditions listed in Article 6(1) of the GDPR, such as the consent of the data subject, the performance of a contract, the performance of a legal obligation or the protection of a legitimate interest. Article 9 (3) of the GDPR, on the other hand, does not provide for any additional measures. The MDK had therefore not been obliged to refuse the appraisal of the ZQ. This obligation could at most arise from national law under Article 9(4) of the GDPR.
The fifth question referred concerns the conditions for civil liability under Art. 82 GDPR. Does the data subject have to prove that the controller or processor intentionally or negligently infringed the GDPR in order to obtain damages? Or is it sufficient that there is a breach and damage without fault being required? In his opinion, the Advocate General of the ECJ came out in favour of the second alternative. He argued that the GDPR provides for strict liability in order to protect the fundamental rights of data subjects and to deter infringements. He based his argument on the wording, purpose, legislative history and systematics of the GDPR. He also pointed out that the GDPR explicitly takes into account fault in other provisions relating to the lawfulness of processing or the imposition of fines, implying that it is irrelevant for liability.
The fifth question referred also concerns the influence of the data subject's conduct on liability - here ZQ had in any case deepened the breach by asking the colleague. Can the controller or processor exempt itself from liability if it proves that the damage was caused or contributed to by the conduct of the data subject? The Advocate General answered this question in the affirmative, with qualifications. He pointed out that the GDPR contains an escape clause in Art. 82(3) that allows the controller or processor to be exempted from liability if it proves that it is not responsible for the damage at all. However, he said, this was a narrow exception, applicable only in cases of force majeure or fault on the part of the data subject. He also stressed that the data subject's involvement in the processing, e.g. by exercising his or her rights, cannot be considered as fault. He therefore suggested that the ECJ should ask the referring court to examine whether the data subject in the present case acted culpably by instructing a colleague to consult the report on her behalf or whether she was thereby merely exercising her right to information.
Finally, the fifth question referred for a preliminary ruling concerns the calculation of damages. Does the degree of fault of the controller or processor have an influence on the amount of damages? The Advocate General has answered this question in the negative. He argued that the GDPR requires full and effective compensation for the damage actually suffered. In doing so, he relied on Recital 146 of the General Data Protection Regulation, according to which damages should put the data subject in the position he or she would have been in had the breach not occurred. He also pointed out that the GDPR does not provide for a punitive function of damages, but reserves this for fines, which are assessed according to other criteria. He therefore suggests that the ECJ should instruct the referring court to measure damages according to the actual damage, without taking into account the degree of fault of the controller or processor.
The processing of an employee's health data by a medical service of a health insurance fund is generally permissible under Art. 9(2)(h) of the GDPR if it is necessary for the purposes of preventive health care, medical diagnosis, health care or treatment or for the administration of health services. This may be the case, for example, if the MDK prepares an expert opinion on the fitness for work of one's own employee. It is sufficient if a qualified person bound to secrecy within the meaning of Art. 9(3) GDPR processes the data. Further restrictions do not follow from the GDPR, but they can be enacted by the member states pursuant to Art. 9 (4) GDPR.
The ECJ's answers to these questions are expected to be available in four to six months. They will provide important guidance on the application of the GDPR in relation to compensation. They will also clarify the rights and obligations of data subjects, controllers and processors and potentially increase incentives to comply with data protection rules.