Technology | GDPR and Life Sciences – Clarifications on the calculation of compensation from the CJEU

On 21 December 2023, the European Court of Justice (“CJEU”) rendered a judgement in case C-667/21, concerning the processing of health data. The judgement contains several clarifying statements concerning the calculation of compensation for unlawful processing of personal data. Seeing as the case specifically involved the processing of health data, the judgement is particularly noteworthy for entities engaged in the processing of health data, such as insurance companies, pharmaceutical companies that manage health data in the context of clinical trials, online pharmacies and health care providers.

The key points of the matter are:

Processing of special categories of data requires both a legal basis under Article 6 GDPR, and a valid exception under Article 9 GDPR
The purpose of Article 82 GDPR is to guarantee the full reparation of the actual harm suffered by the data subject
The degree of fault or negligence of the controller or processor is not relevant to the calculation of compensation under Article 82 GDPR
Mere violation of the GDPR does not in itself establish basis for compensation

The case concerned a service provider, MDK Nordrhein, that prepares expert evaluations on employees’ work incapacity for health insurance companies. In connection with such expert evaluations, the company handles health data about the relevant employees. The matter arose when one of MDK Nordrhein’s own employees became incapacitated for work, and the company was assigned the task of evaluating its own employee’s work incapacity on behalf of the health insurance company. During this process, certain MDK Nordrhein staff members accessed health data concerning their co-worker. This situation prompted questions regarding whether MDK Nordrhein’s processing of its employee’s health data — acting not as an employer but as a service provider to health insurers —complied with the General Data Protection Regulation (GDPR). The CJEU affirmed the legality of MDK Nordrheim’s data processing activities.

The judgement contains several clarifying statements regarding the assessment of compensation for the violation of Article 9 GDPR, which pertains to the processing of special categories of personal data, such as health data. As an important reminder, the judgement clarifies that processing of special categories of data requires both a legal basis under Article 6 GDPR, and a valid exception under Article 9 GDPR. It further clarifies that the objective of compensation for damages under Article 82 GDPR, the sole provision addressing the rights of data subjects to receive compensation for unlawful data processing, is not to impose a dissuasive or preventive effect on the party at fault. The purpose of Article 82 GDPR is exclusively to guarantee the full reparation of the actual damage suffered by the data subject. Consequently, in the calculation of compensation under Article 82 GDPR, the degree of fault or negligence demonstrated by the liable party in their data processing should not be taken into account. This represents a divergence from Articles 83 and 84, which deal with administrative fines and penalties and are precisely intended to exert a dissuasive or preventive effect. Therefore, in determining a fine or a penalty, one must consider, among other things, whether the infringement was intentional or resulted from negligence, as stipulated in Article 83 (2) (b) and Article 84 (1).

Moreover, the judgement clarifies that a mere violation of the GDPR does not automatically establish a basis for compensation under Article 82 GDPR. On this point, the CJEU confirms its finding in the case C-300/21 (Österreichische Post AG) of May 2023. Data subjects are entitled to compensation only in the event that: (i) the data subject has suffered damage, (ii) the responsible party has breached the GDPR’s provisions, and (iii) there exists a direct causal connection between the harm suffered and the violation in question.

In its decision Österreichische Post AG, the CJEU stated that it is up to the national courts to decide the extent of compensation, based on its domestic rules, provided that the principles of equivalence and effectiveness of EU law are complied with. In the MDK Nordhein-case, the CJEU further clarified that the degree of fault or negligence shall not be taken into account in the calculation of compensation. Due to this, important questions on the actual consequences of a GDPR breach are left to the national courts. This applies in particular to whether controllers and processors may be liable for compensation for non-material damages. Under Norwegian law, the Personal Data Act section 30 explicitly states that compensation for non-material damages can be issued for breach of Article 82 GDPR.

Whilst the specific circumstances of the MDK Nordhein might not be commonplace amongst entities that process health data, the judgement by the CJEU includes statements with broad implications that will likely influence subsequent decision on the awarding of compensation under Article 82 GDPR, as well as imposing fines (Article 83 GDPR) and penalties (Article 84 GDPR). This may be especially pertinent in instances of unlawful processing of health data, where the issue of negligence is frequently considered a relevant factor.