Court case 13073/23 – Court Ruling (Italy, 2023)

A court of first instance ordered a municipality – the controller – to compensate one of its employees – the data subject – for non-material damages suffered as a consequence of an unlawful processing of personal data. In particular, the accidental publication of certain data unnecessarily affected the data subject’s reputation. The controller appealed the decision arguing that the court of first instance granted compensation for a GDPR violation without considering whether such a violation actually harmed the data subject. The Court of Cassation rejected the controller’s appeal. According to the court, the right to compensation for non-material damages directly stems not only from Article 82 GDPR, but also from Article 8 ECHR and Articles 2 and 21 of the Italian Constitution. In the first place, the court held that the right to compensation for non-material damages is not excluded by the fact that the controller subsequently brought processing operations into compliance with the GDPR. Second, the court stressed that not every violation necessarily leads to liability under Article 82 GDPR. As a matter of fact, the violation must have entailed actual harmful consequences on the data subject. That said, it is not necessary that the harm suffered meets a minimum threshold, being subject to compensation also a “marginal” damage. In this case, the Court of Cassation upheld the judgement of the court of first instance, as the latter considered the violation in its context and determined that type of data and factual circumstances objectively gave rise to non-material damages.