BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
Case C-590/22 The CJEU has ruled that a data subject may seek compensation for non-material damages caused by the fear of disclosure of personal data, even if the disclosure itself is not proven, as long as the negative consequences of that fear are proven. Merely proving an infringement, however, is insufficient for compensation; actual damage must be proven. Case C-741/21 The CJEU clarified the right to compensation for non-material damage under the GDPR: • an infringement alone does not constitute “non-material damage” – there must be evidence of “suffered damage” and a causal link; • controllers cannot claim exemption from liability for the mere fact that a person acting under its authority failed to follow its instruc - tions; • the assessment of compensation for non- material damage does not need to follow criteria similar to those for administrative fines; and • multiple infringements related to the same processing operation should be considered in the compensation assessment. Case C-687/21 The CJEU held that non-material damages under Article 82 require the claimant to prove a well-founded fear and a real risk of misuse of
• the fear that personal data will be misused as a result of a cyber-attack can be a compen - sable non-material damage; • excluding liability according to Article 82 (3) of the GDPR is only possible within certain limits; • the GDPR contains no provisions on how to assess damages, and national courts must therefore apply each member state’s national provisions subject to principles of equiva - lence and effectiveness under EU law; • when determining the amount of compensa - tion, Article 82 of the GDPR does not require taking into account the extent of fault or the number of GDPR violations by the controller against the data subject; • when GDPR infringements occur alongside breaches of national law that pertain to per - sonal data protection but do not aim to clarify GDPR requirements, these simultaneous breaches do not need to be considered when determining the amount of damages under Article 82 of the GDPR; and • Article 82 of the GDPR serves a compensato - ry purpose rather than a deterrent or punitive one. Cases C-182/22, C-189/22 The CJEU ruled that, under Article 82(1) of the GDPR, compensation for non-material damage due to personal data theft does not require con - sideration of the severity of the GDPR infringe - ment. The CJEU clarified that compensation should fully cover the damage, and may be mini - mal if the damage is not serious. Furthermore, “identity theft” for the purposes of compensation requires actual misuse of the stolen data, but compensation is not limited to cases involving subsequent identity theft or fraud.
personal data. Case C-340/21
The CJEU ruled that the fear of potential mis - use of personal data by third parties consti - tutes non-material damage under Article 82(1) of the GDPR. Controllers must compensate for damages from unauthorised data disclosure or
18
CHAMBERS.COM
Powered by FlippingBook