Risk of damages for data protection violations grows
Last Thursday, the European Court of Justice (ECJ) issued a ruling on damages for data protection violations. The judgement confirms that companies have a (very) far-reaching responsibility and are subject to strict liability.
The ruling states that data subjects can already claim damages if they have a mere fear of misuse of their personal data. This applies in particular if their data is affected by cyberattacks, but also in the event of any other unauthorised access or unauthorised disclosure.
If a data subject then says that they have lost control of their data as a result and fear that their data could be misused in the future, this may be sufficient to assume such “non-material damage”, the ECJ states.
However, the company can avoid liability if it can prove that it has taken suitable and sufficient technical and organisational protective measures. To determine what measures can be considered adequate, the individual risks of the processing must be taken into account here, as well as the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing.
Summary and recommendation:
If such a data protection incident occurs, the risk of customers and other affected persons claiming damages increases. Depending on the number of data subject, the amount multiplies.
You can only reduce this risk by
- protecting personal data in the best possible way,
- ensuring that the measures taken are appropriate to the existing risk and
- being able to prove both.
You should therefore constantly review the technical and organisational measures for protecting data and the IT systems used and tighten them up if necessary. This helps data protection and IT security and also reduces the liability risk.
If you have any questions, please do not hesitate to contact us.