RGPD - Violation of the RGPD does not in itself give rise to a right to compensation

In a decision of April 11, 2023, the Administrative Court of Appeal of Paris (CAA) considered that the absence of information to a patient of her right to request the rectification of her health data could not constitute, in itself, a prejudice.

A month later, on May 4, 2023, the CJEU was able to reconfirm that the mere violation of the General Data Protection Regulation (GDPR) cannot be the basis for a right to compensation.

The absence of harmful consequences retained by the CAA

In this judgment of April 11, 2023, the patient criticized the AP-HP for (i) not having given her consent to the collection and storage of her data in her medical file and (ii) not having been informed of her right to rectification.

The patient thus charged the AP-HP with moral prejudice linked to an infringement of her private life due to the nature of the personal data mentioned in her medical file. These same data had been consulted by health professionals even before she was informed of her right to rectification.

Despite this failure to comply with the RGPD, the CAA of Paris nevertheless retained the absence of prejudice:

• on the one hand, the data contained in the medical file - as well as the health professionals consulting them - were subject to medical secrecy,
• on the other hand, the patient had indeed been able to exercise her right to request the rectification of her personal data.

According to the CAA of Paris, the prejudice alleged by the patient could not therefore be established.

This position was confirmed by the CJEU in an entirely different case.

The conditions of the right to redress under the GDPR

The facts at the origin of the reference for a preliminary ruling before the CJEU are as follows: the Austrian company Österreichische Post had processed data which led it, by means of statistical extrapolation, to deduce the existence of a high affinity of the applicant with a certain political party.

The applicant, who had not consented to the processing of his personal data, sought compensation for the non-material damage suffered.

The referral from the Austrian courts was intended to answer two main questions:

• Is the mere violation of the GDPR sufficient to confer a right to redress granted by the same regulation?
• Is the right to compensation conditional on a certain degree of seriousness of the damage?

First, the CJEU affirmed that the right to redress cannot result from the mere violation of the GDPR. The right to redress under the GDPR is unambiguously subject to 3 cumulative conditions:

• Violation of the RGPD
• Material or moral damage resulting from this violation
• Causal link between the damage and the violation

This analysis is consistent with Article 82(1), as well as Recitals 75, 85 and 146 of the GDPR.

However, the CJEU recalls the fundamental distinction between actions for redress (compensatory purpose) and the other remedies opened by the GDPR (punitive purpose), which allow, in particular, the imposition of administrative fines and other sanctions, without being conditional on the existence of individual damage.

Secondly, the CJEU concluded thatthere is no threshold for the seriousness of the damage to confer a right to compensation. The position of the CJEU is, again, unambiguous:

"Subordinating compensation for non-material damage to a certain threshold of seriousness would risk undermining the coherence of the regime established by the GDPR. Indeed, the graduation on which the possibility of obtaining compensation would depend would be likely to fluctuate according to the appreciation of the judges seized."

Finally, the CJEU recalls the absence of rules on the assessment of damages provided for in the GDPR. The determination of the modalities relating to actions for damages, and in particular the rules relating to the extent of monetary compensation, is a matter for national law alone, subject to compliance with the principles of equivalence and effectiveness of EU law.

Once again, the Court emphasizes the compensatory function of the right to compensation provided by the GDPR and recalls, in this respect, the need for full compensation for the damage suffered.