The European Court of Justice ruled that employers remain liable for privacy damages caused by their employees, even if the employees violate instructions. While exemptions may apply if the employee acted autonomously, the employer must demonstrate this.
Within the realm of personal data protection, a recent ruling by the European Court of Justice has reaffirmed the employer’s liability for “privacy” damages resulting from errors committed by their employees, even if the latter have violated the instructions received.
The ruling, issued on April 11, 2024, in case C-741/21, concerned a dispute between a German lawyer and a company distributing a legal database. The lawyer had complained about continuous commercial phone calls and emails received despite revoking consent for marketing communications and initiated a legal action, based on Article 82 of the EU General Data Protection Regulation No. 2016/679 (GDPR), asserting the company’s responsibility for the damages incurred. Conversely, the company defended itself by arguing that the incident was not attributable to the company but rather to an employee who had not followed given instructions.
The issue raised by the German judges was referred to the European Court of Justice, which clarified that the data controller cannot be exempted from liability simply by pointing out that the damage was caused by an error of an employee acting under its authority. However, the Court specified that there may be circumstances in which the employer can be exempted from liability if it demonstrates that the employee acted entirely autonomously and for their own individual purposes. This, however, does not apply if
the error occurred within the assigned duties, as the employer has a duty to supervise the accuracy of the performance.
Furthermore, the ruling clarified that the claimant must prove the harmful consequences of the GDPR violation to claim compensation and that the judge, in determining the amount of compensation, should not apply the criteria provided for administrative sanctions but should only quantify the suffered prejudice without punitive surplus. In conclusion, the ruling underscores the importance of the employer’s responsibility in ensuring the protection of personal data and the need for careful supervision of employee activities to prevent privacy violations and subsequent damages.
DISCLAIMER: : This article merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi which assumes no liability whatsoever for the content and correctness of the newsletter. The author or your contact in the firm will be happy to answer any questions you may have.