ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

Lübeck Regional Court: Liability of the controller under Art. 82 GDPR in the event of a data leak

Liability of the controller in the event of a data leak by the processor.
Categories:

In a ruling dated October 4, 2024, the Regional Court of Lübeck dealt extensively with liability under Art. 82 of the General Data Protection Regulation (GDPR) in the event of data protection violations. The decision contains key principles on the imputability of unlawful data processing, the interpretation of the concept of damage and the possibilities of exculpation for data controllers. The central question was under what conditions a controller is liable for infringements that are attributable to the actions of a processor or sub-processor.

Data leak from sub-processor

The defendant, operator of a music streaming platform in Europe, had transferred customer data to a processor, which in turn worked with a sub-processor. However, there was no agreement between the processor and the sub-processor as required by Art. 28 GDPR.

After the defendant terminated the cooperation with its processor, a data leak occurred at the sub-processor in which personal data was stolen and subsequently published on the darknet. The data concerned included first and last name, user name, date of birth, email address, data on the use of the D. service, gender, language and country. The UserID, i.e. a sequence of numbers assigned by the defendant, which is individually assigned to individual users, was also affected.

The plaintiff, a user of the defendant's streaming platform, claimed non-material damages and argued that it was afraid of its data being misused due to the data leak. In addition, the publication of the data on the darknet was to be regarded as an independent violation of their right to informational self-determination.

Reading tip: BSI updates minimum standards for logging cyber attacks

Court: Unlawful data processing under Art. 82 GDPR to be interpreted broadly

  1. Attribution of the responsible party to infringement
    The court found that the concept of involvement in unlawful data processing under Art. 82 GDPR should be interpreted broadly. It is sufficient that the controller was involved in the series of operations that led to the act causing the damage in the sense of a conditio sine qua non. "The concept of participation in unlawful data processing under the GDPR does not necessarily require that the controller itself has directly participated in the process that ultimately caused the damage," said the Regional Court.

    In this case, the court considered the defendant to be involved in the unlawful transfer of data to a data processor that was not subject to sufficient obligations. The lack of a contract pursuant to Art. 28 (4) GDPR established the unlawfulness of the data transfer.

  1. Possibility of exculpation of the person responsible
    According to Art. 82 para. 3 GDPR, a controller can exculpate itself by proving that it is not at fault. However, the court emphasized that this also applies to its own contribution to the cause. The defendant was unable to prove that the data was passed on to the processor through no fault of its own. In particular, it was negligent to pass on personal data without sufficiently checking the recipient's obligations under data protection law.

    "If the disclosure was negligent, the person responsible is liable even if they were not directly involved in the process that caused the damage," the judges concluded.

  1. Definition of damage and compensability of immaterial damage
    The court followed the previous case law of the European Court of Justice (ECJ), according to which non-material damage within the meaning of Art. 82 GDPR could also lie in the justified concern of a possible misuse of data. There is no de minimis limit. The plaintiff's fears and concerns - for example about phishing attacks - were recognized as compensable non-material damage.


    In addition, the court found that the publication of personal data on the darknet constituted damage in its own right. This violation of the right to informational self-determination was deemed to be a loss of control over one's own data, justifying compensation for damages.

  1. Assessment of damages
    The court awarded the plaintiff compensation for pain and suffering in the amount of 350 euros. In doing so, it took into account the publication of sensitive personal data and the resulting anxiety. On the other hand, no significant financial loss had been incurred and the data had only allowed limited conclusions to be drawn about the plaintiff's person.

Responsible parties bear increased risk of liability

The judgment of the Lübeck Regional Court clarifies the strict requirements of the GDPR regarding the responsibility of companies when processing personal data. The expansion of the concept of participation and the extensive attribution of actions by third parties in breach of instructions significantly increase the liability risks for controllers.

The recognition of immaterial damage in the form of fears and worries and the classification of loss of control over personal data as independent damage mark a further step in the development of liability under Art. 82 GDPR. This makes it necessary for companies to implement comprehensive technical, organizational and contractual measures in order to comply with data protection obligations and minimize liability risks.

Source: Judgment of the Regional Court of Lübeck (15 O 216/23) dated 04.10.2024

Now new: the intelligent Ailance™ chatbot
Answers to your questions about data protection & compliance and Ailance™ solutions at the click of a button. This is now possible thanks to the new Ailance™ chatbot.
Tags:
Share this post :
en_USEnglish