OPINION OF ADVOCATE GENERAL
CAMPOS SÁNCHEZ-BORDONA
delivered on 25 May 2023 (1)
Case C‑667/21
ZQ
v
Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
(Request for a preliminary ruling
from the Bundesarbeitsgericht (Federal Labour Court, Germany))
(Reference for a preliminary ruling – Protection of personal data – Personal data concerning health – Assessment of the working capacity of an employee – Medical service of a health insurance fund – Processing of personal data concerning employee health – Right to compensation for damage – Effect of the degree of fault)
1. This reference for a preliminary ruling concerns the interpretation of Regulation (EU) 2016/679 (2) as regards (a) the processing of personal data concerning health, and (b) compensation for damage suffered as a result of an (alleged) breach of the GDPR itself.
2. Although the Court of Justice has already ruled on the provisions of the GDPR (3) relating to those matters, the questions raised in this reference for a preliminary ruling have not been addressed before, with the exception of the fourth question. (4)
I. Legal framework
A. European Union law. The GDPR
3. Recitals 4, 10, 35, 51 to 54 and 146 of the GDPR are relevant to this dispute.
4. Under Article 9 (‘Processing of special categories of personal data’):
‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
…
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
…
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
…
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’
5. Article 82 (‘Right to compensation and liability’) states:
‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
…
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
…’
B. National law. Sozialgesetzbuch Fünftes Buch (5)
6. The first sentence of Paragraph 278(1) provides that a medical service (6) of the health insurance funds (7) is to be established as a body governed by public law in every federal state. One of its tasks, conferred on it by law, is to draw up reports designed to remove doubts as to insured persons’ incapacity for work.
7. Under point 3(b) of the first sentence of Paragraph 275(1), in certain circumstances, the KV are required – in the event of an insured person’s incapacity for work as attested by a medical certificate – to request a report from the relevant MDK designed to remove doubts as to that person’s incapacity for work.
II. Facts, dispute and questions referred for a preliminary ruling
8. In 1991, ZQ took up employment with the MDK of North Rhine (Germany) as a system administrator in the IT department and on the helpdesk.
9. The MDK draws up reports on the incapacity for work of insured persons of the KV, which may include reports concerning the health of the MDK’s own employees.
10. Data processing is governed, inter alia, by the following rules set out in an internal operating manual: (8)
– Employees’ ‘social data’ may not be collected or stored at their place of work. Furthermore, those data, which are generated when a KV requests an expert report from the MDK, must not be mixed with workers’ data processed in the context of the employment or service relationship.
– Requests for reports concerning the MDK’s employees are classified as ‘special cases’ and are handled exclusively by a specific organisational unit. (9)
– Upon completion of the report on an employee of the MDK, both the relevant documentation and the report are stored in the MDK’s own electronic file. The only way to cross-link documents to specific individuals is by means of a special key, subject to access authorisation that must be technically verified.
11. After the records have been filed, the employees of the ‘IT Department’ of the ‘Special Cases’ organisational unit are able, subject to a statutory duty of confidentiality, to access reports drawn up pursuant to a request relating to the MDK’s employees.
12. ZQ had been continuously ill and incapacitated for work since 22 November 2017.
13. As from 24 May 2018, (10) ZQ received sickness benefits paid for by the KV which insured him. On 6 June 2018, the KV requested a report from the MDK in order to remove doubts as to ZQ’s incapacity for work.
14. The MDK accepted the request, which it assigned to the ‘Special Cases’ unit. On 22 June 2018, a doctor from that unit, employed by the MDK, issued a report containing ZQ’s diagnosis. In order to draw up that report, the doctor spoke to ZQ’s general practitioner by telephone and gathered relevant information from him.
15. The MDK filed the report electronically.
16. ZQ’s general practitioner informed him of the telephone call from the MDK’s doctor.
17. On 1 August 2018, ZQ contacted a work colleague in the MDK’s IT department and asked her whether a report had been filed concerning him. After searching the files, ZQ’s colleague responded in the affirmative. At ZQ’s request, she took photographs of the report and sent them to him.
18. On 15 August 2018, ZQ unsuccessfully sought compensation from the MDK in the amount of EUR 20 000 on the basis of Article 82 of the GDPR.
19. On 17 October 2018, ZQ brought an action before the Arbeitsgericht Düsseldorf (Labour Court, Düsseldorf, Germany). In that action, he also claimed compensation equivalent to lost earnings. (11)
20. During the court proceedings, the MDK terminated its employment relationship with ZQ.
21. ZQ’s claims were dismissed both at first instance and on appeal. (12)
22. ZQ brought an appeal before the Bundesarbeitsgericht (Federal Labour Court, Germany), which has referred the following questions to the Court of Justice:
‘(1) Is Article 9(2)(h) of the GDPR to be interpreted as prohibiting a medical service of a health insurance fund from processing its employee’s data concerning health which are a prerequisite for the assessment of that employee’s working capacity?
(2) If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) of the GDPR is possible under Article 9(2)(h) of the GDPR: in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) of the GDPR, that must be complied with, and, if so, which ones?
(3) If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) of the GDPR is possible under Article 9(2)(h) of the GDPR: does the permissibility or lawfulness of the processing of data concerning health depend on the fulfilment of at least one of the conditions set out in Article 6(1) of the GDPR?
(4) Does Article 82(1) of the GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) of the GDPR?
(5) [Does] the degree of fault on the part of the controller or processor [have a bearing on] the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) of the GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?’
III. Procedure before the Court of Justice
23. The request for a preliminary ruling was received at the Court on 8 November 2021.
24. Written observations were submitted by ZQ, the MDK, the Irish and Italian Governments and the European Commission.
25. It was not considered necessary to hold a hearing.
26. In accordance with the instructions given by the Court, this Opinion will not address the fourth question referred for a preliminary ruling. (13)
IV. Analysis
A. First question referred
27. The referring court enquires whether Article 9(2)(h) of the GDPR prohibits an MDK from processing data concerning the health of one of its employees where those data are a prerequisite for assessing that employee’s working capacity. It thus questions the lawfulness of the processing on the basis of the entity carrying it out. (14)
28. Article 9 of the GDPR applies to special categories of data, such as data concerning a person’s health. It lays down a general prohibition on the processing of ‘sensitive’ data (paragraph 1) and exhaustively lists the circumstances in which the general prohibition does not apply (paragraph 2).
29. In particular, Article 9(2)(h) of the GDPR includes an exception (to the general prohibition) for the processing of personal data ‘for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment’.
30. In my view, that provision provides sufficient cover for the conduct of the MDK at issue in this case. (15) It is irrelevant that the controller is, at the same time, the data subject’s employer, since the MDK is not acting as an employer but as the medical service of a KV with which the data subject is insured. (16)
31. I see no reason to interpret point (h) of Article 9(2) of the GDPR as prohibiting a medical service from processing its employees’ health data for the purpose set out in that point. The usual criteria of interpretation suggest the opposite (non-existence of such a prohibition).
32. From a literal standpoint, Article 9(2)(h) of the GDPR does not contain such an exclusion, nor does it require as a condition for processing that the controller be a ‘neutral third party’. (17)
33. The legislative history and the development of the provision also do not point to a prohibition such as that mentioned in the first question referred for a preliminary ruling or disclose any intention of including such a prohibition. (18)
34. The purpose of the GDPR rules on the processing of data concerning health is, as the Court of Justice has held, (19) to afford data subjects greater protection given the particular sensitivity of those data for the fundamental rights at issue. That objective is served by the general prohibition laid down in Article 9(1) of the GDPR, which, however, is not absolute. (20)
35. In this area, as in others concerning the processing of personal data, the legislature has chosen, after establishing the general prohibition:
– to introduce exceptions, in the form of a list of specific situations, which can (roughly) be grouped into situations in which the data subject himself or herself authorises the processing or benefits from it, and situations in which there are interests which override those of each individual;
– to gird a certain type of processing with specific safeguards which go beyond and are in addition to the safeguards applying to ‘non-sensitive’ personal data; (21)
– to allow Member States to introduce further conditions on, and even limitations to, the processing of personal data, as in relation to data concerning health (Article 9(4) of the GDPR and the end of recital 53) and employee data in the employment context (Article 88 of the GDPR). (22)
36. In the abstract, there is nothing to prevent the specific safeguards to which I have just referred from prohibiting an MDK from processing data concerning the health of its employees. However, the inclusion of such a prohibition (which the EU legislature chose not to do) does not seem to me to be necessary in order to further the objective mentioned above.
37. I therefore consider that the prohibition which the referring court asks about is not the inevitable consequence of a teleological interpretation of Article 9(2)(h) of the GDPR.
38. Nor do I believe that a systematic interpretation of that provision would have a different outcome, since:
– Assuming, for the sake of argument, that Article 9(2)(b) of the GDPR could correctly be construed as the sole basis enabling an employer to process its employees’ health data, (23) that would not affect the possibility for the same entity, not as an employer but as a medical service that has accepted an assignment from a KV, to carry out processing under another exception laid down in Article 9(2). (24)
– Article 9(3) of the GDPR lays down the conditions which persons processing personal data concerning health must comply with. Paragraph 2(h) of Article 9 expressly refers to paragraph 3; from a subjective standpoint, processing is not contingent on any other requirement. (25)
39. In short, I propose that the first question referred for a preliminary ruling should be answered in the negative (namely that the prohibition in question does not exist in the GDPR), which makes it possible to address the next question.
B. Second question referred
40. If (as I suggest) the answer to the first question referred for a preliminary ruling is in the negative, the referring court enquires whether ‘in a case such as the present one, [there] are … further data protection requirements, beyond the conditions set out in Article 9(3) of the GDPR, that must be complied with, and, if so, which ones’.
41. Broadly speaking, the answer to that question should not be overly problematic. (26) The Court of Justice has made clear that all processing of personal data must comply with the principles of Article 5 of the GDPR and with one of the conditions for lawfulness set out in Article 6 thereof. (27)
42. According to the referring court, compliance with the obligation of secrecy (Article 9(3) of the GDPR) would not be sufficient to protect data in circumstances such as those of the present case. It proposes other, complementary measures which, in its view, would be the only measures suitable for that purpose. (28)
43. I am of the view that, as such, Article 9(3) of the GDPR cannot serve as a basis for those additional measures. Its clear wording (which merely refines a provision already contained in Directive 95/46) (29) does not support proposals such as that of the referring court.
44. By contrast, those proposals could be covered by Article 9(4) of the GDPR. Under that provision, Member States may impose ‘further conditions, including limitations, with regard to the processing of … data concerning health’. (30) However, it is not apparent from the order for reference that that occurred in Germany.
45. That said, and for the reasons set out above, the processing of personal data concerning health must be subject, among other principles, to the principle laid down in Article 5(1)(f) of the GDPR and to the obligations deriving therefrom, detailed in Chapter IV of the GDPR.
46. The controller (31) must also implement appropriate technical and organisational measures to ensure that a specific processing operation complies with the GDPR. General provision is made to that effect in Article 24(1) of the GDPR.
47. In particular, Article 32(1) of the GDPR requires controllers to implement ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ posed to the personal data concerned.
48. Applying those rules to the present case, the MDK’s status as employer vis-à-vis ZQ imposes on it a higher than usual duty of care in relation to the processing of ZQ’s health data, because the risks are also higher. (32)
49. The MDK is not oblivious to that fact. When, at the request of a KV with which its employee is insured, it draws up reports to remove doubts as to that employee’s (in)capacity for work, it implements a set of specific technical and organisational measures intended to ensure that the processing of personal data concerning health complies with the GDPR. (33)
50. The assessment of those measures is a matter for the referring court, which may decide, after its assessment, that the measures taken were not sufficient. However, that does not mean that it can be inferred from Article 9 of the GDPR that an MDK is required to refuse automatically any request for a medical report (concerning its employees) from a KV. (34)
C. Third question referred
51. Assuming that the answer to the first question referred for a preliminary ruling is in the negative, in its third question the referring court enquires whether the exception to the prohibition on the processing of data concerning health ‘depend[s] on the fulfilment of at least one of the conditions set out in Article 6(1) of the GDPR’.
52. In order to answer that question, it is necessary to examine the relationship between Article 9(2) of the GDPR and Article 6 thereof on the lawfulness of processing. The need to comply with the latter article in all processing of data is laid down in the judgments of the Court of Justice cited above. (35)
53. In particular, in its judgment in Case C‑439/19, (36) the Court interpreted Article 10 of the GDPR concerning another category of sensitive personal data (relating to criminal convictions and offences) (37) and found that Article 6 of the GDPR applies in tandem with Article 10.
54. Does the same premiss apply to the personal data referred to in Article 9 of the GDPR?
55. The structure of Articles 9 and 10 of the GDPR is different. Article 10 contains an express reference to Article 6(1) of the GDPR while Article 9 does not.
56. The content of Article 9(2) and Article 10 of the GDPR is also not comparable: Article 10 merely lays down a subjective restriction on processing, while Article 9(2) sets out the purposes (or circumstances) justifying such processing, like Article 6(1).
57. Indeed, the similarities between Articles 6(1) and 9(2) of the GDPR are such that, at first sight, the circumstances listed in the latter appear to be specifications of the conditions listed in the former: they elaborate on them and, at the same time, make them more onerous.
58. The history and development of Article 9 of the GDPR cast doubt, however, on whether the relationship between it and Article 6 can be explained in terms of ‘special law’ and ‘general law’.
59. It is common ground that that interpretation was in fact supported by some Member State delegations. (38) However, documents concerning the negotiations on Article 9 reveal disagreements not about the reference to Article 6 (39) but rather about its scope (only paragraph 1 or other paragraphs too?). (40) In the end, the reference in Article 9 to Article 6 was deleted (41) and a paragraph similar to the present recital 51 of the GDPR was retained in the preamble. (42)
60. The notion of cumulation or complementarity between the two provisions is shared by the European Data Protection Committee (43) and was defended by the Article 29 Working Party (44) in relation to Article 8 of Directive 95/46. (45) However, that interpretation is not without its detractors among academic legal commentators and in other relevant circles. (46)
61. Having regard to the different subparagraphs of Article 9(2) of the GDPR, I am inclined to the view that the relationship between that provision and Article 6 does not really allow for a single answer to be given. Thus:
– Exceptions to the prohibition on processing such as those set out in Article 9(2)(a), (c), (g) and (i) (47) have a direct correlation with a specific legal basis in Article 6(1) of the GDPR and absorb that legal basis.
– The same is not true of other exceptions listed in Article 9(2) of the GDPR which indeed require additional justification under Article 6(1). That is the case, in my view, as regards Article 9(2)(h), with which the question referred for a preliminary ruling is concerned.
62. I therefore consider that, in order to ensure that the processing of sensitive data permitted by Article 9(2)(h) of the GDPR is lawful, it is necessary to ascertain which of the conditions set out in Article 6(1) provides such processing with a legitimate basis in each case.
63. The referring court does not dispute that this is the case, but rather, on the basis of that premiss, denies that the processing carried out by the MDK is justified under Article 6. (48)
64. At first sight, there does not seem to me to be an order of precedence between the legal bases contemplated in that provision. A more thorough analysis may require a more nuanced approach. (49) I consider, however, that such an analysis would go beyond what is needed to provide an answer to this reference for a preliminary ruling. (50)
65. In short, the answer to the third question referred for a preliminary ruling should indicate to the referring court that the exception to the prohibition on processing data concerning health requires the fulfilment of at least one of the conditions set out in Article 6(1) of the GDPR.
D. Fifth question referred
66. The referring court enquires whether ‘the degree of fault on the part of the controller or processor [has] a [bearing on] the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) of the GDPR’ and, in particular, whether ‘non-existent or minor fault on the part of the controller or processor [can] be taken into account in their favour’.
67. The question assumes that the GDPR was infringed (51) by the controller and asks whether the degree of fault on the controller’s part is relevant for the purposes of quantifying the compensation due for damage caused as a result of that infringement. According to the referring court, it is unclear whether the absence of fault or minor fault on the part of the controller may be regarded as exculpatory evidence.
68. Taken at face value, the question focuses on the quantification of compensation. The accompanying explanations nevertheless generated some confusion as it was unclear whether they were concerned with fault as a condition for attributing liability or as a factor for adjusting the amount of compensation.
69. When asked by the Court of Justice to clarify that ambiguity, the referring court stated that the question related to both aspects but did not provide any further details as to how they were connected to the main proceedings.
70. In the light of that reply, I will answer the questions raised by the referring court after (also) addressing those raised by the MDK concerning the possible involvement of the data subject in the occurrence of the damage. (52) My analysis comprises three parts.
– In the first part, I will address the basis for attributing liability under Article 82 of the GDPR.
– In the second part, I will examine the possible impact of personal data being consulted by an employee of the controller. (53) The specific, and key, element of that scenario is that the employee consulted the data at the data subject’s request.
– In the third part, I will take a view on the possible effect of the seriousness of the controller’s fault on the specific assessment of the non-material damage to be compensated.
1. Basis for civil liability under Article 82 of the GDPR
71. The referring court is of the view that paragraph 1 of Article 82 of the GDPR does not make the civil liability (of the processing manager (54)) conditional on the existence or proof of intent or negligence. It adds that paragraph 3 of that article does not support any other outcome.
72. It is admittedly not clear what model of civil liability the GDPR has opted for and that various interpretations are, a priori, possible. (55) The referring court’s approach is one of them and is, to my mind, the correct approach.
73. Interpreting Article 82(1) of the GDPR as establishing a system of civil liability that is detached from the fault of the processing manager is, I think, in line with its wording, is directly supported by its travaux préparatoires and, above all, serves the purpose pursued by the provision. It is acceptable in the light of other paragraphs of that provision, as well as the scheme viewed as a whole.
(a) Literal approach
74. The position taken by the referring court is consistent with the wording of Article 82(1) of the GDPR. On the face of it, the right to receive compensation from the controller is tied, without further formality, to the damage suffered as a result of a breach of the GDPR.
75. The remaining paragraphs of Article 82 do not point to any other answer. (56) In particular, I would not venture to infer a requirement of fault from Article 82(3) based on the word ‘liable’. That word appears only in some language versions of the GDPR, while others, by contrast, use ‘responsible’. In the German-language version, neither Article 82 nor the preamble includes the technical term specific to liability for fault (‘Verschulden’). (57)
76. A comparison of the different provisions of the GDPR shows that the terminology used is not always unambiguous, with the result that caution must be exercised when drawing inferences from their wording. In the English-language version, for example, the word ‘responsible’ is used to convey a wide range of meanings. (58)
77. The absence of any reference to the intention or fault of the controller in Article 82 of the GDPR contrasts with the references in Article 83 concerning administrative fines: ‘when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case’ due regard is to be given to the intentional or negligent character of the infringement of the GDPR. (59)
78. Although the mismatch between the wording used weakens the persuasiveness of the literal approach to interpretation, it at least supports the idea that neither intention nor fault is present in Article 82 of the GDPR and that that omission is deliberate and not the result of an oversight by the legislature.
(b) Travaux préparatoires
79. The discussions on the basis for attributing liability that was ultimately included in the GDPR were obscured by the context in which they took place within the Council, regarding the matter of multiple processing parties.
80. Those discussions were intermingled with procedural considerations and did not consider the distinction between, on the one hand, the function served by fault as a basis for attributing liability and, on the other, the function served by the absence of fault for the purposes of exempting a person from such liability.
81. Nonetheless, I think that the travaux préparatoires support an interpretation of Article 82(1) of the GDPR under which civil liability does not depend on the existence of fault on the part of the controller.
82. The Commission proposal followed the approach taken in Directive 95/46 and did not refer to negligence. A number of Council documents mention that the type of liability envisaged is ‘strict liability’. (60)
83. An amendment tabled in the Committee on Civil Liberties, Justice and Home Affairs of the Parliament sought to link liability to intent or negligence in the wording of paragraph 1 of Article 82 (then Article 77). (61) It was not passed. (62)
84. In the Council, the discussions on Article 77 and the criterion used to attribute liability related to the attribution and allocation of liability where several persons are involved in the same processing operation. In that context, the Presidency offered a choice between two options: (63)
– Under the first option, (64) each manager or processor would be held legally liable for the entire amount of the damage vis-à-vis the data subject (65) where they have infringed obligations imposed on them by the GDPR. (66) Their involvement in the damage, even on a minor scale, would allow the data subject to claim the full amount of compensation. If several parties were involved, the data subject would be able to claim that amount from each party. (67) However, each party would be released from liability if he or she could demonstrate that he or she was in no way responsible for the damage (‘0% responsibility’); that would be reflected in paragraph 3 of the article. The model is described as ‘closer (but certainly not equal to) the “liability follows fault principle”’. (68)
– The second option would have imposed an unavoidable obligation on the processing manager to compensate the data subject for the full amount of the damage, in a form of absolute liability, since no exemption was provided for. (69) A claim against the processor could only be brought by the data subject in the alternative. (70) No exemption was contemplated for the processor, either.
85. The compromise text submitted by the Presidency for adoption as a general approach (71) followed the first option, although it emphasised the exceptional nature of the exemption and made it more difficult to prove by wording Article 77(3) in the following manner: ‘… if … it proves that it is not in any way responsible …’. (72) That wording and the wording of the article which was ultimately adopted are the same.
86. In short, the analysis of the legislative process which led to the final version of the GDPR suggests that the liability referred to in Article 82(1) of the GDPR is not linked to fault on the part of the processing manager.
(c) Purpose
87. The GDPR establishes a system designed to ensure a high level of protection of natural persons while removing obstacles to flows of personal data. (73) Within that system, Article 82 pursues a compensatory purpose, without prejudice to the fact that it also serves, secondarily, to deter or prevent conduct at variance with its provisions. (74)
88. Ensuring compensation is an objective in itself: that follows from the importance which the legislature attaches to it and transpires from a simple reading of the text. Under the GDPR, the receipt of compensation where damage has occurred is a right enjoyed by data subjects, the concept of damages must be interpreted broadly, and compensation must be full and effective.
89. Compensation is linked to the aim of enhancing citizens’ confidence in the digital environment, an objective of general application which the GDPR sets out in recital 7. Providing data subjects with the assurance that, as a matter of principle, they will not simply have to bear the consequences of damage resulting from the unlawful processing of their data serves to foster such confidence: their assets are protected and, procedurally, their claims are more straightforward.
90. The fact that Article 82(1) of the GDPR does not tie the compensation obligation to a breach of a duty of care is consistent with that approach. At the legislature’s behest, the compensation obligation falls on whoever occupies a position of guardian or guarantor in the relationship, and precisely because of that fact.
91. It could therefore be said that, under the GDPR, what matters is the situation of the victim who suffers the damage resulting from the infringement, in the absence of a rule requiring the victim to bear the consequences of that damage.
92. Whether or not there was fault on the part of the person who caused the damage is irrelevant to the victim: the decisive factor is that the processing manager caused material or non-material damage to the victim as a result of a breach of the GDPR committed by the processing manager.
93. The objectives described above are more easily achieved under a model which ensures that proven damage:
– is repaired in all cases (unless there is a ground for exemption, which will be exceptional); and
– gives rise to compensation which is (comparatively) easy to obtain, not only because there is no need to prove fault on the part of the controller, but also because, where an infringement and the associated damage has occurred, the attribution of liability does not depend on any degree of fault.
94. Against the backdrop of adapting to the digital revolution, (75) that approach seems to me to be a consistent one. Rapid technological change means that, in the most common data processing activities carried out online, the absence of intent or negligence must not prevent compensation being awarded for damage which would otherwise be left unredressed.
(d) Scheme
95. My proposed interpretation is more in line with the scheme of the GDPR. That is confirmed by Article 82(3): exemption is possible if ‘a controller … proves that it is not in any way responsible for the event giving rise to the damage’.
96. The words ‘not in any way’ stand out in that provision and suggest that the model is not one based on fault (or even very minor fault) with reversal of the burden of proof.
97. If the view is taken that compensation does not depend on the controller’s fault, Article 82 acquires a specific meaning in Chapter VIII and, ultimately, in the GDPR as a whole.
98. The EU legislature assumes that the processing of personal data may be a source of risk. It requires processing parties to assess those risks and to take and update measures to prevent and minimise risks they have identified. (76)
99. It has been argued that a fault-based civil liability model promotes diligence and, therefore, protection against risks, while the alternative model, which does not take account of a party’s conduct, would discourage that party from exercising caution (because, in the event of damage, he or she would have to pay compensation anyway).
100. I am of the opinion that that outcome (77) is acceptable under the GDPR. Article 82 is part of a complex regulatory structure which includes public and private law tools to protect personal data. Within that structure, negligence (and intent) are relevant for the purposes of administrative penalties. I see no need for them also to be relevant for the purposes of civil liability, (78) which would run counter to the objectives of Article 82 and, moreover, would diminish the practical attractiveness of the remedy established by that article.
2. Effect of the data subject’s involvement
101. The questions concerning the need for fault on the part of the controller are related, in the present case, to the possible consequences deriving from the data subject’s involvement. (79)
102. For a better understanding of the matters set out below, it should be made clear that the circumstances of the dispute have been viewed from two angles:
– From the first angle, the processing of ZQ’s personal data by the MDK constitutes an infringement of the GDPR (Articles 9 or 6 thereof). The infringement in itself results in damage. (80)
– From the second angle, the data processing described above does not constitute an infringement of the GDPR or entail damage. Damage would result from the data being consulted by a specific employee of the MDK at the request of the data subject. (81)
103. I consider, in any event, that as the referring court appears to maintain, (82) recourse must be had to Article 82(3) in order to determine the effect (if any) of the data subject’s conduct on the commission of the infringing act at the root of the damage.
104. That provision does not list, even by way of example, specific grounds for exemption from liability. Nor does recital 146. (83)
105. The GDPR appears to depart in that regard from Directive 95/46, Article 23(2) of which contained a rule similar (84) to the current Article 82(3) of the GDPR: recital 55 of Directive 95/46 cited, as examples of grounds for exemption, fault on the part of the data subject and force majeure, (85) which are not found in the GDPR.
106. Unless I am mistaken, it is not apparent from the travaux préparatoires for the GDPR that there was any discussion of those two examples, which did appear in the Commission proposal (86) and were retained by the Parliament. (87)
107. Their deletion and the inclusion of the words ‘not in any way’ occurred during the abovementioned debate on how to regulate liability in the case of processing operations involving multiple managers or processors. (88)
108. It transpires from the available documentation (89) that, in the final version, the processing manager would qualify for the exemption if he or she could demonstrate that he or she was in no way responsible for the damage (‘0% responsibility’). The same applied to the processor. (90)
109. On that basis, I do not think that the disappearance of the two examples in the preamble, alongside the insertion of ‘not in any way’ in the same preamble and in Article 82(3) of the GDPR, has the result (or the aim) of excluding the data subject’s actions from the grounds for exemption from liability. (91)
110. Rather, it appears that the data subject’s actions are still capable, depending on the circumstances, of breaking the essential link between the ‘event’ (Article 82(3) of the GDPR uses that term) and the controller’s responsibility. Emphasising the restricted nature of the escape clause does not prevent a particular act of the data subject from giving rise, on its own, to damage and, consequently, from triggering the exemption from liability of the processing manager.
111. A systematic interpretation militates in favour of account being taken, in the context of liability for damage, of the data subject’s involvement in causing that damage. In the scheme of the GDPR, individuals have a role to play in the protection of their data and, to that end, they are given tools which are, in themselves, rights.
112. From a teleological point of view, I consider that the GDPR seeks to provide a high level of protection, but not to the extent that it requires the controller to pay compensation also for damage resulting from events or actions attributable to the data subject. (92)
3. Calculation of compensation. Effect of the degree of fault on the part of the person liable for the damage
113. The referring court confirmed that the fifth question referred for a preliminary ruling concerns whether the degree of fault on the part of the controller affects the calculation of compensation. More specifically, it asks whether the absence of fault or minor fault on the part of the controller may be taken into account in his or her favour.
114. Article 82 of the GDPR says little, if anything, about the key aspects of compensation which would have an impact on its calculation. It provides no guidance to a person interpreting that article on the elements making up such compensation, (93) on the criteria for assessing (quantifying) those elements, (94) or the factors which might affect the amount thereof. (95)
115. Nevertheless, I consider that the GDPR confers on data subjects a right to compensation the amount of which is to be determined on the basis of the damage actually suffered. Once a figure compensating that damage in objective terms has been established, it should not be altered according to the extent of the controller’s negligence.
116. In support of my position, I refer mutatis mutandis to my views on the attribution of liability to the processing manager, irrespective of fault on his or her part, in the scheme of Article 82 of the GDPR. From the perspective of the victim, whose (tangible and intangible) assets must be unimpaired following the occurrence of the damage, compensation for that damage must be paid without it being tied to the fault of the processing manager, regardless of its degree. (96)
117. I think that the same outcome follows from the conclusion that Article 82 of the GDPR (the travaux préparatoires for which do not offer up any material to support one position or the other) (97) differs from other EU legal instruments, which expressly distinguish between whether or not a party was ‘knowingly’ involved in the infringement when setting the amount for which compensation may be awarded under the head of civil liability. (98)
118. In my view, that assessment is supported by two further arguments:
– Article 83 of the GDPR takes into account the negligence (and intent) of the infringer when determining the amount of the fine. (99) The legislature could have taken the same approach for the calculation of civil liability, but did not do so.
– The GDPR insists that compensation must be full and effective (100) (recital 146 and Article 82(4) where several controllers or processors are involved in the same processing operation). (101) In my view, the qualifier ‘full’ suggests that there should be no downward revision of the amount of compensation based on the lesser degree of negligence on the part of the controller. (102)
V. Conclusion
119. In the light of the foregoing considerations, I propose that the Court of Justice reply to the Bundesarbeitsgericht (Federal Labour Court, Germany) as follows:
‘Article 9(2)(h) and (3) and Article 82(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that:
it does not prohibit a medical service of a health insurance fund from processing data concerning the health of an employee of that service, where those data are a prerequisite for assessing that employee’s working capacity;
it permits an exception to the prohibition on processing personal data concerning health, where such processing is necessary for the purposes of assessing the employee’s working capacity and complies with the principles set out in Article 5 and with one of the conditions for lawfulness laid down in Article 6 of Regulation 2016/679;
the degree of fault on the part of the controller or processor does not have a bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) of Regulation 2016/679;
the involvement of the data subject in the event giving rise to the compensation obligation may trigger, depending on the circumstances, the exemption from liability of the controller or processor provided for in Article 82(3) of Regulation 2016/679.’