DATA PROTECTION
Court of Cassation: it is not sufficient to take action to remove the unlawfully exposed data in order to be exempt from liability.
The data controller, who is always obliged to pay compensation for damage resulting from processing that does not comply with the GDPR, can only be exonerated from liability if he proves that the damaging event is in no way attributable to him.
The fact.
A municipality appealed to the Court of Cassation against the judgment of the Court that sentenced it to compensate the damages caused to one of its employees for unlawful processing of personal data. In particular, the local authority was accused of having published on its institutional website a decision concerning the garnishment of a certain amount of the employee's salary, omitting, however, to obscure her data in the attached accounting note, which then ended up on the public notice board.
By a number of grounds of appeal, the municipality points out that it was an accident, distraction or human error, unforeseeable and unavoidable, attributable to the operator in charge; an error which, moreover, was remedied within 24 hours. Moreover, the appellant complains that the damage cannot be considered in re ipsa merely because personal data were disclosed in breach of the principles for processing, but it is for the data subject to provide the relevant proof.
In Order No. 13073 of 12 May, the Supreme Court dismissed the appeal, setting out two new principles of law:
Turning then to the case at hand, the Court of Appeal observed that the Court had correctly ascertained the presence of a damage resulting from the unlawful processing contested to the Municipality, integrated by the exhibition of the data by type and context, albeit only for a short time.
(Source: SEAC All-In Giuridica - Ownership of the contents: Gruppo SEAC).
The fact.
A municipality appealed to the Court of Cassation against the judgment of the Court that sentenced it to compensate the damages caused to one of its employees for unlawful processing of personal data. In particular, the local authority was accused of having published on its institutional website a decision concerning the garnishment of a certain amount of the employee's salary, omitting, however, to obscure her data in the attached accounting note, which then ended up on the public notice board.
By a number of grounds of appeal, the municipality points out that it was an accident, distraction or human error, unforeseeable and unavoidable, attributable to the operator in charge; an error which, moreover, was remedied within 24 hours. Moreover, the appellant complains that the damage cannot be considered in re ipsa merely because personal data were disclosed in breach of the principles for processing, but it is for the data subject to provide the relevant proof.
In Order No. 13073 of 12 May, the Supreme Court dismissed the appeal, setting out two new principles of law:
- "under the general rules of Regulation (EU) 2016/679, the so-called GDPR, a data controller is always obliged to compensate for the damage caused to a person by a processing that does not comply with the regulation itself, and may be exempted from liability not simply if it has taken action (as its duty) to remove the unlawfully exposed data, but only "if it proves that the damaging event is in no way attributable to it"";
- "the exclusion of the principle of damage in re ipsa presupposes, in such cases, the proof of the seriousness of the injury resulting from the processing; this means that the mere violation of formal prescriptions on the subject of data processing may not give rise to the damage, while it always induces compensation for that violation which concretely offends the effective scope of the right to privacy".
- Secondly, it is specified that the fact that the unlawful processing took place by human error, distraction or other means is of no relevance. The data controller, in fact, is also liable for the negligent act of its employees, as, moreover, Article 2049 of the Civil Code already states in general for all matters of civil liability.
Turning then to the case at hand, the Court of Appeal observed that the Court had correctly ascertained the presence of a damage resulting from the unlawful processing contested to the Municipality, integrated by the exhibition of the data by type and context, albeit only for a short time.
(Source: SEAC All-In Giuridica - Ownership of the contents: Gruppo SEAC).
