In its recent ruling issued in April 2024, the European Court of Justice (ECJ) in case C-741/21, addressed the liability for "non-material damage" resulting from GDPR infringements and the question of whether a controller can be held accountable for damages caused by errors made by individuals under its authority.

First, the ECJ reiterated previous case law which states that an infringement of a GDPR provision which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of Article 82(1) GDPR, irrespective of the degree of seriousness of the damage suffered by that person but rather three cumulative conditions must be met: (a) breach of a GDPR provision (b) the existence of damage (c) a causal link between the breach and the damage.

The Court then examined whether Article 82 of the GDPR must be interpreted as meaning that it is sufficient for the controller, in order to be exempted from liability to claim that the damage in question was caused by the failure of a person acting under his authority. It should be recalled that Article 82 of the GDPR states, in paragraph 2 thereof, that any controller involved in the processing is to be liable for the damage caused by processing which infringes that regulation and, in paragraph 3 thereof, that a controller is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

The ECJ firstly noted that, the persons acting under the authority of the controller, such as its employees, who have access to personal data, may, in principle, process those data only on instructions from that controller and in accordance with those instructions. Secondly, under Article 32(4) the controller is to take steps to ensure that any natural person acting under the authority of the controller, does not process them, except on instructions from the controller, unless he or she is required to do so by EU or Member State law. Lastly, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the ECJ held the controller cannot avoid liability under Article 82(3) of the GDPR simply by relying on negligence or failure on the part of a person acting under his or her authority.

Implications for Controllers and Data Subjects

This strict interpretation by the ECJ underscores the accountability of controllers in managing data protection within their organizations and enhances protection for individuals against data misuse. Controllers are urged to enforce rigorous data protection policies, train employees, and ensure their adherence to prevent breaches.

For data subjects, the ruling reinforce their right to seek compensation for non-material damages, contingent upon demonstrating a direct link between the GDPR breach and the actual damage.

You can contact us for more information: info@2e-law.com

Directive (EU) 2024/1069 of the European Parliament and of the Council of 11 April 2024 on protecting persons who engage in public participation from manifestly unfounded claims or abusive court (hereinafter, “the Directive”) has been published in the Official Journal of the European Union. Its purpose is to eliminate obstacles to the proper functioning of civil procedures, and at the same time to protect natural and legal persons who carry out public activities on matters of public interest, including publishers, media, public interest groups and human rights defenders, as well as civil society organisations, NGOs, trade unions, artists, researchers and academics, against legal proceedings initiated with the aim of preventing them from civic engagement.

The Directive shall be applicable to any type of legal claim or action of a civil or commercial nature, with a cross-border element, adjudicated within the context of civil proceedings, regardless of the type of court. This includes procedures for temporary and injunctive relief, and counterclaims or other special means of legal protection. In the event of civil claims within the context of criminal proceedings, this Directive shall be applicable where their adjudication is fully governed by civil procedural law. However, the Directive is not applicable when the adjudication of such claims is governed in whole or in part by criminal procedural law.

The Directive establishes minimum rules, thus allowing Member States to adopt or maintain more favourable provisions for persons carrying out public interest litigation, including national provisions establishing more effective legal guarantees, such as responsibility to protect freedom of expression and information. The application of the Directive shall not justify any backtracking in relation to the current level of protection that is already in place in each Member State.

Abusive legal procedures to discourage public participation typically include procedural tactics of the plaintiff done in bad faith, which may be related to the choice of jurisdiction, litigating partially meritless claims, raising excessive claims, and the initiation of multiple proceedings on similar matters, which cause disproportionate costs on the defendant in these proceedings. The plaintiff’s past conduct and, in particular, any history of legal intimidation should also be considered in determining the abusiveness of the judicial process. Such procedural tactics, which are often combined with various forms of intimidation, harassment or threats before or during the procedure, go beyond the purpose of obtaining access to justice or the actual exercise of a right and are intended to deter public participation in relation to the subject at hand.

The Directive complies with the protection of fundamental rights, the EU Charter and the general principles of Union law. Accordingly, this Directive must be interpreted and applied in accordance with fundamental rights, including the right to freedom of expression and information, as well as the right to an effective remedy, an impartial tribunal and access to justice. In the application of this Directive, all the public authorities involved must strike, in cases of conflict between the relevant fundamental rights, a fair balance between the relevant rights, pursuant to the principle of proportionality.

Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with the Directive by 7 May 2026.

by Alexandros Efstathiou

Within the context of the workplace and of employment law, “bullying” does not refer to a specific legal concept. It is a wider colloquial term that can encompass a range of repeated harmful behaviours directed at an employee or a group of employees and can cover any form of physical or verbal abuse of another person in the workplace unrelated to any innate characteristics or to any specific purpose on the part of the perpetrator, but which target an individual's emotional and psychological wellbeing.

“Harassment”, on the other hand, within the context of Cyprus employment law, is a legal concept that derives from the pertinent EU antidiscrimination directives. In particular, “harassment” is an unwanted conduct expressed with words or actions, connected to gender, racial or ethnic origin, religion or beliefs, age or sexual orientation, with the purpose or effect of offending the dignity of a person and creating an intimidating, hostile, degrading, humiliating or offensive environment.

In other words, for a conduct to constitute harassment, it needs to (a) be connected to one or more of the aforementioned protected characteristics, and (b) its purpose or effect needs to be (i) to offend the dignity of a person, and (ii) to create an intimidating, hostile, degrading, humiliating or offensive environment.

In light of the above, it seems that ipso facto almost all instances of harassment will qualify as bullying. Conversely, any form of bullying that does not meet the qualifications concerning the protected characteristics and the specific purpose or effect, they are not considered harassment for purposes of Cyprus employment law.

It is noted that there are also separate statutory provisions concerning harassment, which turn this behaviour into both an actionable tort that merits compensation, as well as a criminal offence with up to Euro 10.000 and/or five years imprisonment, depending on the circumstances. Within this criminal law and torts context, "harassment" is not linked to protected characteristics, but it means causing anxiety or distress to another person, while knowing, actually or constructively, that this would cause such anxiety or distress provided that this conduct is repeated more than once. In other words, in this non-employment law context, the focus is not on innate characteristics of the individual, but on the distress that a behaviour would cause, which is more akin to what colloquially would be called “bullying”.

In other words, where instances of bullying do not constitute harassment, because they are not connected to protected characteristics, they cannot be dealt with through employment law before the competent Industrial Disputes Tribunal. However, it may be possible that employees can utilise such provisions and proceed to regular criminal and civil courts against the individual persons performing such conduct.

Of course, in the case where there is physical abuse involved, there may also be issues such as the criminal offence and tort of assault, which can be claimed against the perpetrator, again outside the employment law context.

The national equality authority, the Ombudsperson, also has the competence to issue codes of conduct concerning the facilitation and promotion of compliance with antidiscrimination legislation, which are then turned into regulations approved by the executive. However, there is no general code of conduct concerning harassment, but all codes of conduct issued by the Ombudsperson to date, concerning harassment, relate to the civil service and public law bodies, such as public universities. Nevertheless, private entities are free to make their own codes of conduct and it seems now that companies in a growing number of industries, implement such policies or provide pertinent training to their employees and management.

In addition, employers have a statutory duty to encourage and promote equal treatment in the workplace, as well as an implicit common law duty to provide for a safe workplace. Therefore, depending on the gravity of the abusive conduct, if the abusive conduct does not come directly from the employer, but from an employee, but the employer has been made aware of this, yet they fail to investigate and take corrective actions, the employee may file a discrimination claim before the Industrial Disputes Tribunal claiming fair and reasonable compensation, in which case the burden of proof is reversed.

Simultaneously, there may also be vicarious criminal and civil liability, under certain conditions (such as acquiescence, knowledge, or consent to the conduct by the employer), for either the company or its officers or both.

Further, under the relevant law transposing the EU Whistleblowing Directive, employers with 50+ employees, as well as all public authorities and public law bodies, regardless of number of employees, are obliged to develop proper reporting channels for employees to report certain breaches of EU and national law. Harassment, defined in the same way as the antidiscrimination statutes, is specifically prohibited as a form of retaliation against such whistleblowers and the state has the positive obligation to provide to whistleblowers free and easy access to all relevant information concerning their protection, to assist them with any complaints before authorities, give legal aid in criminal proceedings and cross-border civil disputes in relation to that subject matter. Any person that proceeds with such form of retaliation may be subject to a financial penalty of up to Euro 30.000 and/or up to three years’ imprisonment.

However, a short critique is also in order, in that, because, under Cyprus law, protection from harassment and bullying in the workplace is the product of an interplay between employment law, criminal law and torts, this piecemeal manner in which such legal protection has evolved has led or may lead to unfair or unequal results.

For example, the maximum financial penalty for gender-based harassment within the context of antidiscrimination and employment law is six times as much as the maximum for harassment on grounds of other protected characteristics, and maximum imprisonment four times as much and this is simply because the specific statutes were transposed at different parliamentary sessions.

Therefore, it is arguable, in the author’s view that, within the context of Cyprus law, given the multiple legal provisions we have on harassment, it is necessary to explore the idea of a complete revamp of how harassment is dealt with legally both in and out of the workplace, unify the definition of harassment, which seems to have at least two different definitions, and keep the strict definition of harassment that relates to protected characteristics, in order to be dealt with within the context of employment law, with a right to fair and reasonable compensation before the Industrial Disputes Tribunal.

At the same time, bullying should be given a separate legal definition, that also encompasses harassment, but without mention to protected characteristics and be dealt with within the context of regular criminal law and torts.

In this way, in the author’s view, jurisprudence will evolve in an organic and uniform manner under the jurisdiction of each court hierarchy and both harassed employees and people that have been bullied outside the workplace without reference to protected characteristics can have equal and clear access to justice. Of course, filing a labour dispute application should not preclude an individual from proceeding also with filing a criminal complaint and an action for damages in tort.

And, finally, another change that would untie the hands of the Ombudsman is an increase in the very low maximum administrative fine of Euro 405 and introduction of other administrative sanctions that act as serious deterrents, such as possible withdrawal or suspension of a licence in cases of instances of harassment in regulated industries.

by Alexandros Efstathiou