Our remarks • The Court concluded that GDPR, Article 82(1) must • The Court stated that the subjective feeling of be interpreted as including compensation for non- being infringed is not sufficient to award damages material damage. under GDPR, Article 82(1). Instead, it requires that • Collecting personal data on approximately 20,000 the unlawful act under data protection law has citizens in a single Excel sheet does not violate caused damage or imminent risk of damage to, for the principle of data minimization. Therefore, a example, reputation, loss of confidentiality, etc., or controller may collect large amounts of personal other consequences of a certain qualified nature. data in individual files if it is necessary to process Specifically, in this case, one of the citizens had DKK the data in the same document to fulfill a task. 95,000 stolen from his bank account. This loss was compensated, but the citizen’s fear of future misuse • Even if an employee breaches internal guidelines, of his information was not damage of a ”qualified” the controller can be accountable if the controller is nature according to the District Court’s assessment. aware that the unlawful act is being carried out. In • At the time of writing, this judgment is under appeal this case, employees of Gladsaxe Municipality were to the High Court. The legal position regarding prohibited from storing personal data locally on the compensation for non-material damage in computers, but at the same time, the municipality Denmark is therefore not carved in stone and can was aware that employees had to store the file probably only be considered definitively clarified locally to be able to work in it. when a similar judgment is delivered by the Court • The district court held that GDPR, Article of Justice of the European Union or the Supreme 82(1) provides for the possibility of awarding Court. compensation/indemnification to the data subject for damages that are not of a non-material nature. This may increase the disadvantages of being criticized, as the data controller will risk being faced with claims for compensation from the data subjects who have been affected by the unlawful processing, even if the Data Protection Authority does not issue a fine. 113