Compensation for Damage Resulting from the Processing of Personal Data
The institution in question was initially regulated by what we know as the Privacy Code, formally contained in Legislative Decree 196/2003, which collects Italian legislation on the protection of personal data.
Today, however, the matter is directly governed by Article 82 of EU Regulation 2016/679 (GDPR), which replaced Article 15 of the Privacy Code, expressly repealed by Legislative Decree 101/2018.
In particular, the aforementioned Article 82 GDPR provides that anyone who has suffered material or non-material damage as a result of a violation of the regulation has the right to obtain compensation from the data controller or the data processor. Liability therefore falls directly on these subjects, unless they prove that the harmful event is in no way attributable to them.
It follows that, when one is responsible for the protection of personal data, it is necessary to adopt every suitable measure to safeguard such data, primarily to prevent their dispersion and fraudulent use. It will therefore be the burden of the controller or processor to demonstrate that they acted correctly and that the violation did not depend on their conduct, thus avoiding liability.
The compensable damage may be both pecuniary and non-pecuniary, or both may coexist; however, it is up to the person who claims to have suffered it to provide proof.
Compensation for Unlawful Data Processing
In order to obtain compensation for damages, it is necessary to follow various steps aimed at obtaining a judicial ruling that acknowledges the right to be compensated and obliges the wrongdoer to pay.
First of all, it is essential to send what is known as a letter of warning and formal notice, which serves several functions: it sets a deadline within which the person who caused the damage must compensate it, and it also interrupts the statute of limitations, allowing the term to start running again from the beginning.
This is a fundamental step, since people often ignore that, even in civil law matters, there are limitation periods to be respected, after which it is no longer possible to enforce one’s claim.
Once such a letter has been sent, if we still fail to obtain what was requested (a highly probable situation, since normally the wrongdoer will reply that there is nothing to pay), we can proceed by filing a civil lawsuit.
During the proceedings, there will be an evidentiary phase in which, through witnesses, formal interrogations, and the submission of documents, it will be possible to prove the damage suffered and the causal link between the wrongdoer’s conduct and the harm itself.
The burden of proving all this lies exclusively with the person who claims to have been harmed, with the consequence that, if they fail to provide sufficient elements to convince the judge, they will have to give up obtaining compensation.
It should also be clear how lengthy the entire proceedings may be.
Indeed, it cannot be overlooked that there may be multiple levels of judgment and, in particular, the case could reach the third level before the Court of Cassation.
Furthermore, even when a final judgment has been obtained, it may happen that the party ordered to pay compensation does not comply voluntarily, thus making the enforcement phase necessary, with related formal notice, attachment, and so on.
Although it may seem difficult, it is important not to get discouraged, to go forward with the conviction that sooner or later justice will acknowledge us and ensure we are compensated, even though not everyone has the possibility to wait and bear the necessary expenses in the meantime.
Many, in the end, just to live a life without complications, end up renouncing hard-earned legal claims.
Class Action on Loyalty Cards – Data Breach
Violations in the processing of personal data constitute one of the greatest problems of the twenty-first century, given the widespread use of IT technology and telematic tools for the most varied activities—for example, in the field of loyalty cards or the improper storage of data provided to smartphone apps.
The most controversial cases inevitably concern access to and registration on websites, for which it is always necessary to enter one’s data and subsequently consent to their processing.
I don’t think I’m straying too far from the truth when I say that none of us—or at least very few—actually take the time to read the conditions we accept with a simple click on “I consent”, without which the fateful “next” box does not become accessible, the only thing we are really interested in when we are about to make a purchase, stream a movie, or download a free version of a program.
Usually, in fact, we consent first and foremost to the processing of our personal data in order to access the desired service but, moreover, we also consent to their use for commercial purposes, as well as their transfer to third-party companies for market research.
This is why, to our surprise (and annoyance), without knowing the reason, we continue to receive emails, text messages, or even promotional calls aimed at selling us all sorts of things, without realizing what triggered it all.
But this is only the legitimate inconvenience of the consents we indiscriminately give, since there is nothing unlawful in the use of data for the purposes we expressly accepted; the problem arises when such data begin to be used unlawfully, although unfortunately it is often very difficult for the victim to even realize it.
The most striking cases are represented by IT services offered, for example, by Poste Italiane, banks, as well as websites where tickets for means of transport—such as airline or train tickets—can be purchased. In these cases, credentials may be stolen, allowing an intruder to unlawfully access our accounts or credit cards, causing economic damage, sometimes very significant.
It is evident that the most at-risk sites are those requiring the insertion of more data, such as identity documents, since once entered we can only rely on the operator to whom we entrusted them, hoping that they have a sufficiently secure IT system, able to withstand even the most aggressive hacker attacks.
Sale of Data for Financial Gain
When we talk about compensation for damages due to privacy and personal data breaches, although most of us immediately think of our sensitive data being disclosed without authorization, reference is also made to the violation of our right to image, especially if our image is an economically valuable asset.
This is the case for celebrities, who very often demand and obtain substantial compensation from magazines and websites that publish stolen images of them in private places, where the camera lens should not have access.
In this case, however, two different interests of equal legal value must be balanced: the protection of one’s privacy and the right to information, albeit of a scandalistic nature.
This balancing therefore excludes any kind of violation in cases where images or other data are legitimately acquired in public or publicly accessible places, while on the contrary, it constitutes an unlawful violation to unlawfully enter real or virtual places where access is private and where such data are stored—data which, through our own fault, we often fail to properly value.
Who Violates Our Data and Steals It for Profit
It is necessary to distinguish between those who are responsible for the disclosure of data because, under contract, they are obliged to prevent it, and those who, on the contrary, commit outright fraudulent theft from the “custodians’” IT systems.
The latter are not liable for damages for failing to adopt adequate measures to prevent access; instead, they are criminally liable, as their conduct amounts to actual theft.
Needless to say, in order to carry out such conduct, it is necessary to have IT skills that certainly go beyond the basic knowledge that we all have. These are the so-called hackers, people who can easily overcome every virtual barrier to reach the treasure of our data and, ultimately, our money.
It is not always necessary to have a degree certifying such skills since, more often than not, we are not dealing with IT engineers but simply with those young geniuses who, from the outset of their lives, have shown a talent and aptitude for the virtual world.
A famous example was the Wikileaks case, which probably involved the largest data theft in modern history.
The point is this: when there are worlds we cannot fully understand or manage, we are in danger.
This happens in every field, and even more so in IT.
We entrust our lives and our secrets to a computer, while knowing we have no tools to fight potential attackers far more skilled than we are, relying essentially only on luck to guide our virtual existence.