GDPR and Spam: the first conviction with damages awarded
From Germany, the first sentence with compensation for damages deriving from spam: the Regional Court of Heidelberg, with a judgment on March 16th, 2022 (made in the case titled 4S 1/21), has applied, for the first time, the GDPR privacy legislation (articles 79 and 82 of the GDPR) to an incident that dates back to 2019.
In the case tried by the German court, the interested party had received a first advertising email relating to a training course in April 2019 but had not given consent to receive such communication. He, therefore, expressed his opposition to the sender. Despite this, two months later, he received another advertising email for the same course, and, at that point, he sued for damages for improper processing of data.
In the first phase of litigation, the court ordered the data controller to stop sending advertising emails but rejected the claim for compensation as it did not recognise any significant damage. The Regional Court of Heidelberg overturned the judgment in the first instance, recognising the merits of the case and granting the plaintiff, as per Article 82 of the GDPR privacy, the total sum of 25 euros, or 12 euros and 50 cents for each spam email received.
In addition to being an important precedent, The German judgment, stands in sharp contrast with the Italian case tried in 2017 (Cassazione Civile sez. I n. 3311/17). In that year an Italian citizen, tired of constantly receiving spam emails, decided to turn to a judge to request damages. A case identical to the German one, but with a completely different epilogue: in fact, the interested party, in addition to not having obtained the requested compensation, equal to 360 euros, was also sentenced to the payment of € 1,500 according to art. 96 c.p.c. for “reckless litigation”. According to the sentence, the damage indicated in the lawsuit was “hypothetical and futile, consisting at most in a modest discomfort or annoyance, certainly tolerable, linked to the fact, connected to an ordinary use of the computer, of having received ten unsolicited emails, of advertising content, over a period of three years”.
GDPR spam mail: what articles 79 and 82 say
Art.79 of EU Regulation 2016/679 establishes that each interested party has the right to propose an effective judicial remedy against the data controller or processor if they consider that the rights they enjoy under the regulation have been violated as a result of processing.
In addition Art.82 GDPR specifically deals with the right to compensation for damages. Paragraph 1 reads: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. “.
It is therefore clear that the German citizen’s claim for damages is legitimate. The uniqueness of the judgment issued by the Regional Court of Heidelberg is hidden in the interpretation of the concept of damage: for the German judge, in fact, unlike the Italian one, two spam emails are sufficient to cause damage and consider the claim for damages appropriate.
The relationship between email marketing and GDPR soft spam
Spam is any type of unwelcomed and unsolicited digital communication that is sent via email for commercial purposes. Many companies use spam because the cost per email is incredibly low and therefore it is possible to send large quantities of communications regularly.
However, distinctions must be made between the different types of promotional emails as they are not all considered equals. Cold emails, used to promote services to potential customers, soft spam, a useful tool for contacting existing customers, and spam.
In the first case, these are prospective customers that gave consent for sending promotional communications in full compliance with GDPR rules, while soft spam, emails sent to already loyal recipients, must comply with the following requirements:
- The receiver must be of legal age;
- The email must concern products and/or services provided by the data controller;
- The customer must have the option to object to the processing of its data free of charge and in a simple way (opt-out);
- Automated systems must not be utilised for email marketing activities;
- The processing is justified by a legitimate interest of the data controller;
- The customer must be provided with the Privacy Policy that communicates all the details of data processing.
