The ruling of the Court of Justice of the European Union (CJEU) on April 11, 2024, in case C-741/21 GP/juris GmbH has sparked discussions about its impact on national regulations concerning data protection. However, according to a letter from the President of the Office for Personal Data Protection (UODO), Mirosław Wróblewski, addressed to the Minister for European Union Affairs, Adam Szłapka, Polish law does not require amendments in light of this ruling.
Content of the CJEU Ruling
The CJEU emphasized that in claims for non-material damage under Article 82(1) of the GDPR, a mere violation of the regulation’s provisions is not sufficient. It is also necessary to demonstrate that the individual whose data was affected suffered actual damage. The severity of the damage is irrelevant, which is consistent with the Court’s previous rulings, such as the judgment on December 21, 2023, in case C-667/21 Krankenversicherung Nordrhein and the judgment on January 25, 2024, in case C-687/21 MediaMarktSaturn.
Position of the UODO President
In his letter dated May 18, 2024, President of the UODO, Mirosław Wróblewski, stated that the CJEU ruling does not necessitate changes to Polish regulations. He emphasized that the principles for determining liability for damage caused by violations of GDPR provisions are specified in the Civil Code, and such matters are resolved by civil courts. According to Article 415 of the Civil Code, a person who has caused damage to another through their fault is obliged to repair it, regardless of the extent of the damage incurred.
Interpretation of Regulations in Poland
Polish courts clearly state in their jurisprudence that the amount of compensation is determined based on civil law provisions, in accordance with the principle of full compensation. GDPR provisions regarding financial penalties are not applied in the context of determining compensation amounts.
Although the CJEU ruling does not require changes to Polish law, it will influence the interpretation of regulations concerning the determination of liability for damages caused by data protection violations. According to the ruling, Articles 82(2) and (3) of the GDPR establish a fault-based liability system, whereby it is presumed that the data controller was involved in the data processing that constituted a violation. This means that the burden of proof lies with the data controller, not the individual who suffered the damage.
Conclusion
The CJEU ruling of April 11, 2024, in case C-741/21 GP/juris GmbH, by confirming the need to demonstrate actual damage, aligns with the Polish legal system. Polish law does not require amendments; however, this ruling will impact the interpretation of provisions regarding liability for GDPR violations, influencing court practices in adjudicating compensation claims for data protection breaches.
