Compensation for damages for breach of data protection regulations.

Supreme Court Judgment no. 398/2024, of 19 March 2024, addresses with legal meticulousness the issues raised around the violation of the fundamental rights to honour and privacy, as well as non-contractual civil liability, in a case involving unauthorised consultations of solvency carried out by an employee of SURAVAL S.G.R., Ms. Beatriz, in the ASNEF file.

From its analysis, it can be deduced that in order to claim compensation for an intrusion into the intimate sphere of the person, the damage caused by such access must be proven.

On the Statute of Limitations

The issue of the statute of limitations is crucial to the development of the dispute. The appellants argue that their action was not time-barred, based on alleged interruptive acts which, according to article 1973 of the Civil Code, would have prevented such a limitation. However, the Supreme Court takes a critical stance against this argument, pointing out that the Provincial Court, in dismissing the appeal, did not rely primarily on the statute of limitations but on the substantive unfeasibility of the actions brought. This reasoning of the Supreme Court emphasises the importance of distinguishing between the decisive grounds of a judgement and those arguments that, although present, do not constitute the main reason for the judicial decision. The reference to the statute of limitations, in this sense, is understood as an additional argument and not as the core of the decision, which emphasises the relevance of focusing the cassation appeal on the grounds that effectively support the ruling.

Specifically, the SC states that:

It is settled case law that states that an appeal in cassation can only be directed against the judgment and, indirectly, against the operative reasoning or ratio decidendi [reason for deciding] of the judgment. Consequently, it is not possible to challenge auxiliary, accessory, secondary or obiter dicta [incidental expressions] or, moreover, reasoning whose hypothetical elimination would not alter the logical path that leads to the conclusion reached in the ruling, such that the various considerations that may be made in the decision and which are not of such a transcendental nature for the judicial decision are irrelevant in terms of cassation (judgments 454/2007, of 3 May; 230/2008, of 24 March; 374/2009, of 5 June; 258/2010, of 28 April; 737/2012, of 10 December; 185/2014, of 4 April; and 85/2019, of 12 February).

Privacy and Data Protection

The Supreme Court devotes a detailed analysis to the distinction between the right to privacy and the right to personal data protection. Although both rights share a common core aimed at safeguarding the private sphere of the individual, the Court clarifies that not every infringement of data protection rules entails a violation of the right to privacy. This distinction is vital, as it allows us to understand that the unauthorised consultation of personal data by Ms. Beatriz did not directly affect the intimate core of the plaintiffs, insofar as the information consulted was already publicly accessible through registers such as the Land Registry. Specifically, the SC stated that:

The right to privacy makes it possible to exclude certain data of a person from the knowledge of others, from which derives the right to protect their private life from unwanted publicity; but the object of protection of the fundamental right to data protection is not only limited to the intimate data of the person, but to any type of personal data, whether intimate or not, whose knowledge or use by third parties may affect their rights, whether fundamental or not. In this case, although access to the plaintiffs’ financial data was gained through a financial solvency file, the defendants did not include the plaintiffs in any such file. As the Provincial Court rightly states, there was no disclosure of intimate data as these data were already public, given that various liens were included in registers of this nature, such as the Land Registry.

Furthermore, the Supreme Court criticises the anachronism of invoking Organic Law 3/2018 for events occurring between 2013 and 2014, when the applicable regulation was Organic Law 15/1999. This legal precision not only underlines the importance of the correct temporal application of the rules but also reflects the rigour with which the grounds for any claim based on the protection of personal data must be analysed.

Liability of SURAVAL S.G.R.

Another substantial point addressed by the Supreme Court is the question of SURAVAL’s liability for the acts of its employee. The Court highlights that SURAVAL cannot be held liable for acts performed by Ms. Beatriz for personal purposes and outside her job functions, especially when the company had adopted adequate security measures to protect the data handled. This conclusion emphasises the importance of differentiating between individual employee liability and corporate liability, particularly in contexts where individual actions exceed the limits of their professional role and company policies.

On Compensation for Damages

The Court’s analysis of the applicability of damages awards reveals a careful application of the principles governing tort law in Spain. The Supreme Court recalls that a breach of data protection law is not sufficient to automatically justify compensation. It is necessary to prove actual damage and a causal link between the unlawful data processing and the harm suffered, criteria that were not met in the present case. This reasoning is in line with the case law of the Court of Justice of the European Union, emphasising that the right to obtain compensation must be based on the actual existence of damage.

In this case, the Court states that

In this case, only the first of the above-mentioned conditions is met, which, on its own, is insufficient for the purposes sought by the applicants. As the first CJEU cited above emphasises, “the occurrence of damage in the context of such processing is only potential; […] the infringement of the GDPR does not necessarily entail damage, and […] there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation”. He therefore insists that a breach of data protection regulations is one thing, which may give rise to an administrative sanction, and that obtaining compensation is another, which cannot be automatic; there can be no linear equation between breach and compensation.


Consequently, the Supreme Court dismissed the appeals, upholding the judgment of the Provincial Court of Cadiz. The appellants are ordered to pay the costs of the proceedings and the forfeiture of the deposits deposited for the lodging of the appeal.

This judgment constitutes a benchmark in the interpretation of fundamental rights in the context of personal data protection, clearly distinguishing between breaches of specific regulations and infringements of fundamental rights such as honour and privacy, and reaffirming the limits of corporate liability for individual acts of its employees performed outside the scope of their corporate functions.