The Privacy Code, first, and the GDPR, then, have provided for the right to compensation for damage for the interested party who has seen their right to privacy violated.
The repealed art. 15 of the Privacy Code recognized the right to compensation for non-pecuniary damage, art. 82 of the GDPR qualifies this damage as "immaterial".
Compensation for damage from breach of the right to privacy is governed by art. 2050 cod. civ., rule expressly referred to in art. 15 of the Privacy Code still considered suitable, despite the repeal of the aforementioned art. 15, to identify the compensatory conditions for the damage which will be discussed.
Specifically, the processing of personal data is considered as "dangerous activity” e, consequentially, once the damage and the causal link between the conduct has been proven, commission or omission of the data controller, there will be a presumption of guilt and the plaintiff will not have to prove the existence of willful misconduct or the fault of the data controller.
On the contrary, the latter will be able to demonstrate that it has taken all appropriate measures to avoid the damage so as to exclude its own liability.
Make these necessary premises, the question to be answered is therefore in what terms the plaintiff must prove the damage caused by the infringement of his right to privacy.
On this point it is worth recalling the recent rulings of the Supreme Court of Cassation (n.19328 of 09.17.2020, n.16402 of 10.06.2021) in mind of which the non-pecuniary prejudice is notin the thing itself “but it must be attached and proven by the plaintiff, under penalty of distortion of the functions of Aquilian responsibilitya”. The actor is required, indeed, to prove the "loss of a personal nature actually suffered”, having to, moreover, subsist "an unjustifiable infringement of the law, not the mere violation of the provisions "placed to protect the right to privacy”.
It follows that it is not sufficient to deduce the sole violation of a rule governing the rights of the data subject (it is. art. 14 GDPR by those who process personal data having acquired them from third parties and not having provided information to the interested party) so that the right to compensation for damage can be recognized, but proof of the damage actually suffered by the interested party - plaintiff must be provided.
It can be cited, as an example, the case handled by the Court of Arezzo (sent. n. 272/2020). The plaintiff complained of the illegitimate conduct of her bank that, not having adopted suitable precautionary measures to avoid unauthorized access by third parties to their internet banking, he had to be responsible as much for the subtraction of € 5.000,00, how much of the damage pursuant to art. 15 Privacy Code, today replaced by art. 82 GDPR, quantified on an equitable basis in an amount equal to the pecuniary damage.
The judge from Arezzo in rejecting the request stated that the plaintiff had not even deduced what the non-pecuniary damage consisted of and that "only in the context of the final statement (e, so, relentlessly belatedly) plaintiff party has attached that “…the subtraction, by third parties, home banking login credentials, occurred due to a safety and control system set up by the U. B. “NOT COMPLYING with the most advanced safety standards of the moment”, resulting in a real violation of the confidentiality of the actress's personal data, pursuant to art. 4 of the so-called. GDPR, it has had negative consequences for the same not only from an economic and patrimonial point of view, but also from an emotional and psychological point of view, making them perceive to this day, exponentially, the fear and concern of further future violations, making her lose faith in computer systems to the point of inducing her to change her daily habits (sometimes giving up even making payments with credit cards, ATM) systems, however, the use of which appears increasingly indispensable in the present historical periodAt the conclusion of the remarks argued in the narrative explained, it is worth reiterating, so, that, in filing claims for compensation, the plaintiff must take care to deduce and prove the non-pecuniary damage suffered since it does not automatically result from the sole violation of a rule of the GDPR.
Scientific contribution of’Lawyer. Manuela Natale