Due to a data breach at Gebühren Info Service GmbH (GIS), the Austrian TV licence fee collection company, the data protection authority recently ruled that the fundamental right to data protection had been violated and that GIS had breached the GDPR. The reason for this was a data leak due to which citizens' resident registration data were intercepted by a third party and offered for sale online.
What happened?
In 2020, GIS commissioned an IT subcontractor with restructuring the database. In the process, unprotected resident registration data - around 9 million data records - were inadvertently uploaded online by the subcontractor. According to reports, such unprotected data were available on the server for about a week. A hacker (who has since been arrested according to reports) accessed them and offered them for sale via an online forum.
Decision of the data protection authority
The data protection authority found that GIS had infringed data protection regulations by placing unprotected resident registration data online due to a lack of suitable technical and organisational measures.
No penal order was issued due to the fact that GIS has the status of a public body.
Entitlement to compensation for immaterial damage
Parties affected are currently joining a class action to claim compensation from GIS. Due to the ECJ's decision regarding the elimination of the materiality threshold which was issued in May this year in case C300/21 (see our KWR blog dated 17 May 2023 Gefühlsschaden II | KWR), prospects of obtaining appropriate compensation for immaterial damage are not too bad.
As already mentioned in our previous blog on this topic, the requirements to be granted compensation for (immaterial) damage are as follows: a breach of data protection law, the occurrence of actual (immaterial) damage and a causal link between the breach of law and the damage. The question of whether fault is also required for the assertion of compensation of immaterial damage has been referred to the ECJ (C-667/21) (see our KWR blog dated 7th of December 2023 Fault or no fault for immaterial damage claims under data protection law | KWR). Decision is still pending.
Outlook
As the ECJ holds that no materiality threshold is required for the immaterial damage sustained, a "lesser" impairment of the affected party's emotional sphere might be sufficient. In any case, those affected will continue to be under an obligation to prove that actual immaterial damage was sustained. The mere fear of potential future damage will in no event be compensated for.
The KWR Data Protection Team will be happy to answer any questions you might have.