Realignment in data protection

Background to the ECJ rulings:
The judgments of the European Court of Justice (ECJ) in cases C-340/21 and C-456/22 provide important clarifications on the General Data Protection Regulation (GDPR). These decisions are decisive for the interpretation and application of the GDPR, particularly in the area of processing personal data (PII). They address key aspects of the GDPR, such as liability for data breaches and the recognition of non-material damage, and offer companies guidance in their data protection management.

Key aspects and implications:

1. evaluation of safety measures: The courts must make a concrete assessment of the security measures. A data breach alone does not justify the inadequacy of the measures. This increases the burden of proof for data processors regarding the adequacy of their security strategies.

2. liability for injuries caused by third parties: Data processors can be held liable if third parties gain unauthorized access to personal data, unless the processor proves that it is not responsible for the incident.

3. immaterial damage: The fear of misuse of personal data is recognized as immaterial damage, which extends the scope of liability of companies.

4. no de minimis limit for immaterial damages: The ECJ rulings strengthen the right to compensation for those affected, even in the case of minor non-material damage.

Recommendations for companies:

1. risk-based security strategies: Companies should adapt their security measures individually to the specific risks of their data processing. A standardized approach is no longer sufficient.

2. documentation and verification: Seamless documentation of security measures and processes is essential. Companies must be able to prove the appropriateness of their measures.

3. third-party provider management: Careful review and control of third-party providers who have access to personal data is required. Companies should not transfer their responsibility exclusively to third parties.

4. training and awareness-raising: Employee training on data protection and data breaches is essential to promote awareness and competence in handling personal data.

5. proactive measures and continuous adaptation: Companies should take proactive measures to minimize risks and continuously improve the security of personal data. This also includes adapting to legal and technological developments.

6. strengthening data protection management: The implementation and regular review of effective data protection strategies are essential. This also includes the establishment of emergency plans and response mechanisms in the event of data breaches.

Summary and outlook:
The ECJ rulings underline the importance of a comprehensive and individual approach to data protection. They signal a development towards stricter liability rules and an extended recognition of damages in the context of the GDPR. Companies are required to continuously rethink and adapt their data protection practices in order to meet the increased requirements and ensure effective protection of personal data.