CJEU dismisses controller’s attempt to avoid GDPR liability by relying on employee’s acts.
A recent Court of Justice of the European Union (CJEU) ruling concerning a business-to-business (B2B) postal marketing case has found that a controller cannot avoid liability for compensation under the GDPR by simply relying on the negligence or fault of someone acting under its authority. Echoing the Austrian Post Case (see here), the CJEU also determined that an infringement of data subject rights, in itself, is insufficient to constitute “non-material damage” under the GDPR. The individual must prove that he or she actually suffered damage and that there is a causal link between the damage and the controller’s actions.
Background
Case C‑741/21 concerned a reference to the CJEU for a preliminary ruling from a German court. The reference arose from an individual’s case before a German court against juris GmbH (juris), a legal database company. The individual, a self-employed lawyer, exercised his right to object under Article 21(2) of the GDPR to the processing of his personal data by juris for direct marketing purposes. Despite reiterating this request several times, the individual continued receiving advertising leaflets by post, including a “trial personal code”, giving access to an order form on the juris website containing his personal data. The individual sought compensation for material damage and non-material damage under the GDPR.
A Controller Cannot Blame its Agents
Article 29 of the GDPR provides that a processor and any person acting under the authority of the controller or the processor who has access to personal data shall not process the personal data except on instructions from the controller, unless required to do so by the European Union or Member State law. In its defence, juris relied on Article 29 of the GDPR and submitted that it had a system in place for managing objections (opt-outs) to marketing. It submitted that the failure to take into account the applicant’s objections was because one of its employees had failed to comply with instructions to do so. The CJEU noted that employees are indeed natural persons acting under the authority of their employer as controllers. However, it is for the employer to ensure that its instructions are correctly applied by employees.
The CJEU held a controller (juris) cannot avoid liability for compensation by (a) simply relying on the negligence or fault of someone acting under its authority (e.g. an employee or processor) or (b) claiming that processing marketing opt-outs is too onerous or costly.
This case can be distinguished from the Morrison Supermarkets case, in which the UK Supreme Court found that Morrisons was not liable for a personal data breach deliberately caused by a rogue employee. See our article on this case here.
Non-Material Damage
juris also claimed that the mere breach of an obligation under the GDPR, such as the requirement not to process personal data for marketing purposes where an objection has been received from the data subject, did not, in itself, constitute “damage” in the context of the right to compensation.
The CJEU, referring to its previous decision in MediaMarktSaturn, C-687/21 (and mirroring the Austrian Post Case), stated that a data subject seeking compensation for material and non-material damage must establish not only an infringement of the GDPR but also that the infringement caused him or her such damage. Loss of control over personal data, even for a short period of time, may constitute “non-material damage” within the meaning of the GDPR. However, the individual must prove that he or she actually suffered damage to demonstrate a right to compensation.
Importance of Training and Managing Opt-Outs
This case exclusively concerned B2B postal marketing. While B2B postal marketing is not subject to the rules on direct marketing in the ePrivacy Directive, the GDPR still applies because individuals’ personal data are used for such marketing (e.g. contact details). This case reinforces the importance of implementing and maintaining (and periodically auditing) technical and organisational measures when it comes to direct marketing opt-outs. It also highlights the importance of carrying out regular employee data protection training in data protection governance frameworks. Such regular training should emphasise the importance of GDPR compliance and the consequences of failure to comply and demonstrate the employee’s role in the mitigation of risks such as data breaches and unlawful processing of personal data.
If you require any further information on the issues raised or have any queries about GDPR training, please contact Claire O’Connor, Rachel Hayes, or your usual William Fry contact.
Contributed by Claire O’Connor.