Updated version of the article published on 26 August 2024
The CJEU clarifies the requirements under Art. 82 GDPR
This year, as in the previous year, the European Court of Justice (CJEU) has published several rulings on the relevant standard damages under data protection law in Art. 82 of the European General Data Protection Regulation (GDPR), in which the CJEU concretised the requirements of Art. 82 GDPR in important and previously controversial points. The CJEU relied on its Judgment dated 4 May 2023 (C-300/21) and continued with the interpretation of Art. 82 GDPR that had begun in that Judgment, which we intend to highlight in this article.
According to the CJEU, the key aspects for a claim under Art. 82 GDPR can be summarised as follows:
- Not every infringement of the provisions of the GDPR automatically triggers a claim for compensation under Art. 82 GDPR. The data subject must have suffered material or non-material damage, which they must prove.
- The concept of damage must be interpreted broadly. The right to compensation for non-material damage does not require a noticeable disadvantage.
- Damage which is caused by a breach of personal data protection is no less serious than bodily injury.
- Art. 82 GDPR does not have a threshold of seriousness or minimum threshold that would have to be exceeded by the damage.
- The fear that personal data will be misused as a result of a cyberattack can be compensable non-material damage. If the damage results from this fear that data will be misused by third parties, the data subject must prove that the fear is well founded under the given special circumstances and with regard to his/her own person.
- Identity theft only occurs if a third party has actually assumed the identity of the person concerned. However, compensation for non-material damage caused by the theft of personal data is not limited to cases where it has been proven that the theft of data has led to identity theft (or identity fraud).
- An exemption from liability in accordance with Art. 82 (3) GDPR is only possible within certain limits.
- The GDPR does not contain provisions that relate to how the amount of damages to be paid should be assessed, therefore the national courts must apply the national provisions of the individual Member States in compliance with the principles of equivalence and effectiveness under EU law.
- To assess the amount of compensation to be paid, Art. 82 GDPR does not require that the degree of fault or the number of GDPR infringements by the controller towards the data subject be taken into account.
- If infringements of the GDPR are made simultaneously with infringements of national law and those national provisions relate to the protection of personal data but are not intended to clarify the requirements of the GDPR, it is not necessary to take these simultaneous infringements into consideration when assessing the amount of a claim for damages pursuant to Art. 82 GDPR.
- Art. 82 GDPR has a compensatory function and not a deterrent or punitive function.
Due to their high practical relevance, we want to take a closer look at each of the rulings of the CJEU. The last update was made on 20 June 2024.
Judgment dated 20 June 2024 (C-182/22, C-189/22): decision in the Scalable Capital referral proceedings
In the joined cases C-182/22 and C-189/22 with questions referred from Germany (C-182/22, C-189/22) concerning the Scalable Capital referral proceedings, the Advocate General’s opinion, which was limited to the fifth referred question, was published in October 2023. The CJEU was asked to rule whether to assert non-material damage under Art. 82 GDPR, identity theft, within the meaning of Recital 75 and 85 of the GDPR, should only be affirmed if the identity of the data subject has been assumed, or whether the fact that criminals have data that makes the data subject identifiable is sufficient to affirm identity theft. In the case underlying these proceedings, a data leak had resulted in a data outflow (including account and ID data) from a financial services company to unauthorised third parties.
Opinion of the Advocate-General
In these proceedings, the Advocate General came to the conclusion that the theft of sensitive personal data of a data subject by unknown criminals could lead to a claim for non-material damage if proof of an infringement of the GDPR, concrete damage suffered and the causal link between the damage and the GDPR infringement is provided. The Advocate General did not consider it necessary for offenders to have assumed the identity of the data subject. According to the Advocate General, the possession of data that is sufficient to identify the data subject does not in itself constitute identity theft.
CJEU: Identity theft requires that a third party has actually assumed the identity of the person concerned.
With its Judgment dated 20 June 2024, the CJEU has now ruled that identity theft only exists if a third party has actually assumed the identity of the person concerned. However, it said compensation for non-material damage caused by the theft of personal data according to Art. 82 GDPR is not to be limited to cases where it can be proven that the theft of data has led to identity theft (or identity fraud). The CJEU also said, among other things, that Art. 82 (1) GDPR must be interpreted as meaning that, when determining the amount of compensation owed for non-material damage, it must be assumed that damage caused by a breach of personal data protection is, by its nature, no less serious than bodily injury. Recitals 75 and 85 GDPR list various circumstances to be categorised as "physical, material or non-material damage". However, according to the CJEU, there is no hierarchical relationship between them that could lead to the conclusion that the impairments resulting from a breach of data protection are less serious than injuries to the body. With regard to whether national courts should award a "symbolic" amount in the absence of severity of the damage, the CJEU stated that the courts are free to award minor damages, provided these are suitable to fully compensate for a loss suffered that lacks severity.
The CJEU was able to refer to its case law from more recent cases for the further questions that had been referred: for example, the Court reconfirmed that Art. 82 GDPR does not have a punitive function, but a compensatory function. For this reason, any intent on the part of the controller would not be taken into account when calculating the amount of compensation to be paid. Decisive is that the amount awarded fully compensates for the actual damage suffered.
Judgment dated 20 June 2024 (C-590/22): requirements necessary for proof in case of fear of data disclosure
Case C-590/22 with referrals from Germany questioned whether a mere fear without positive proof that personal data has been obtained by a third party unlawfully is sufficient for a claim under Art. 82 GDPR and whether a deterrent effect is required to assess the damages. In its Judgment dated 20 June 2024 (C-590/22), the CJEU said that it is sufficient for a claim if there is proper proof that a data subject fears that its personal data has been disclosed to third parties as part of a GDPR infringement and the negative consequences of this fear. According to the CJEU, it is not necessary to prove that the feared disclosure actually took place.
Furthermore, the CJEU clarified that, when assessing the amount of a claim for compensation pursuant to Art. 82 GDPR, infringements of national provisions that relate to the protection of personal data, but are not intended to clarify the GDPR, should not be taken into account. It therefore depends solely on the GDPR infringements. In line with its previous case law, the CJEU also reaffirmed that the criteria of Art. 83 GDPR are not applicable to Art. 82 GDPR and that a claim for compensation under Art. 82 GDPR does not have a deterrent function.
Judgment dated 11 April 2024 (C 741/21): non-material damage due to advertising without consent?
Other proceedings dealt with the sending of three advertising letters to a data subject without the data subject’s consent. The data subject had also entered a code that was found in the advertising letters in the defendant's online shop, whereupon an order screen appeared with the pre-entered personal data of the data subject and demanded compensation for material damage due to bailiff and notary costs incurred as well as non-material damage. Based on the submissions by the Saarbrücken Regional Court (Decision dated 22 November 2021 – 5 O 151/19), the CJEU in its Judgment dated 11 April 2024 (C-741/21) essentially confirmed its previous case law to the effect that not every GDPR infringement automatically constitutes non-material damage and that Art. 83 GDPR, which applies to fines, cannot be used to assess a claim for compensation under Art. 82 GDPR.
CJEU: exemption from liability only possible within very narrow limits
The CJEU's statements on Art. 82 (3) GDPR and the exemption from liability of the controller are interesting. In this regard, the CJEU ruled that it is not sufficient for an exemption that the controller claims that damage was caused by the misconduct of a person subordinate to the controller pursuant to Art. 29 GDPR, e.g. an employee. The CJEU said that in relations where a right to give instructions exists, the controller must ensure that the employees follow the instructions correctly, thus the controller cannot exempt itself from liability by invoking negligence or misconduct on the part of a person under its authority in accordance with Art. 82 (3) GDPR. The court said any other interpretation would undermine the practical effectiveness of a claim for compensation under Art. 82 (1) GDPR.
Number of GDPR infringements not a relevant criterion when assessing damages
A further issue referred by the Saarbrücken court to the CJEU relates to the amount of compensation to be paid. As GDPR compensation does not have a punitive or deterrent function, but rather according to Recital 146 GDPR, is intended to ensure full and effective compensation for the damage suffered, the number of GDPR infringements by the controller towards the data subject should not be a relevant criterion when determining the amount of compensation. Only the actual damage suffered or incurred by the data subject is to be compensated; however, it is up to the national courts to develop criteria for this. Whether and to what extent the Saarbrücken Regional Court will now award the claimant a right to compensation also depends on the claimant's statement regarding the non-material damage suffered.
Judgment dated 25 January 2024 (C-687/21): no compensation in the event of a purely hypothetical risk of data being misused and demonstrable lack of knowledge by unauthorised third parties
With its Judgment dated 25 January 2024 (C-687/21) the CJEU, following a referral from the Hagen Local Court from autumn 2021, clarified questions of interpretation of Art. 82 GDPR and increased legal certainty for companies. In the facts of this case, on which the questions referred to the CJEU were based, personal data of a purchaser (name, address, place of residence, employer, income and bank details) had inadvertently been disclosed on a printout by an employee of the company to a third party who had jumped the queue unnoticed and, thus mistakenly received the printed documents and the appliance that had actually been sold to the data subject. Within half an hour, the employee realised the mistake had been made and both the documents and the electrical appliance were returned to the actual buyer.
The buyer demanded compensation for non-material damage pursuant to Art. 82 GDPR, which he saw was based on the risk of loss of control over his personal data. He refused to accept an offer of free delivery of the purchased electrical appliance to his address as compensation. The company denied that an infringement of the GDPR existed and did not see any compensable damage due to a lack of seriousness and also because the third party had not misused the data received. The CJEU has already ruled several times that damage does not require a threshold of seriousness (for the first time in its Judgment dated 4 May 2023 (C-300/21)). We would like to emphasise the following aspects of the other questions submitted by the Hagen Local Court.
Disclosure of data to unauthorised third parties does not automatically mean that the TOMs in place are unsuitable
The Hagen Local Court wanted to know whether a GDPR infringement had occurred if employees of the controller mistakenly passed on a document containing personal data to an unauthorised third party. It wanted to know if an infringement due to unsuitable technical and organisational measures (TOMs) pursuant to Art. 24 and Art. 32 GDPR could be taken into consideration. The CJEU denied that the unauthorised disclosure alone constituted an infringement of Art. 5, Art. 24, Art. 32 GDPR. Referring to a recent CJEU ruling dated 14 December 2023 (C-340/21, more on this below), the CJEU pointed out that the standards mentioned did not require absolute safety against infringements, but rather appropriate measures to ensure safety. The court said it is only when an organisational mistake occurs, and the erroneous disclosure of documents is the consequence of this that an infringement of Art. 24 and Art. 32 GDPR can be affirmed.
In short: as is so often the case, it depends on the circumstances of the individual case. According to the CJEU, the burden of proof that suitable TOMs have been taken remains with the defendant in compensation proceedings. When establishing a GDPR infringement, the decisive national court must not focus solely on the fact that data was disclosed to an unauthorised third party but must take into account all the evidence provided by the controller to prove the suitability of its TOMs.
No non-material damage if it is proven that unauthorised third parties have not gained knowledge of the data
The CJEU's statements on the existence of damage are also particularly relevant in practice. In this Judgment, the CJEU again stated that even short-term loss of control can create non-material damage which, regardless of its triviality, must then be compensated if the claimant can prove causal damage. The CJEU did not repeat the wording from the ruling of 14 December 2023 (C-340/21 more on this below) in margin no. 85 of the Judgment which stated that if the damage lies in the fear of misuse by third parties, the claimant must prove that this fear can be regarded as well-founded
"in the given special circumstances and with regard to the data subject"
(at this point at the latest, however, a lot of the claims for compensation in the so-called "scraping" cases would be dismissed; in particular, text modules recurring in several similar proceedings are not sufficient for many courts as evidence of individual involvement). As a result, however, the CJEU also applied these benchmarks in this referral from Hagen, because the referring court had found that the third party had only held the data in his hands for a period of less than half an hour, not in digitalised but in printed form, and that, secondly, it had been proven that unauthorised third parties had not gained knowledge of the content of the data. The CJEU, therefore, categorised the concerns about data misuse as a purely hypothetical risk, which is not sufficient to affirm damage.
Due to the aforementioned particularities of the Hagen case, it is not possible to draw any general conclusions about cases of data outflows that differ from this, e.g. in digital and therefore less controllable and reversible form or for a longer period of time. It can be clearly concluded from the Judgment that a general presentation of the damage can be refuted or is not sufficient as proof of the damage. The decision shows that it still depends on the circumstances of the individual case, which is also emphasised by the following CJEU ruling on a referral from Bulgaria.
Judgment dated 14 December 2023 (C-340/21) on referral from Bulgaria: does a fear of data being misused after a cyberattack constitute non-material damage?
In the case C-340/21 with questions referred from Bulgaria, the CJEU had to rule, among other things, on the question of whether, in the event of a cyberattack on the data controller, the data subject’s fear that their personal data could be misused as a result of this unauthorised access is sufficient to assume non-material damage within the meaning of Art. 82 GDPR if such misuse has not been established.
The referral proceedings were based on media reports from 2019 relating to a cyberattack on a Bulgarian authority that processed the personal data of around six million people. These reports said that data had been published on the internet as a result of unauthorised access, whereupon some of those affected had demanded non-material damage. These included the claimant in the legal dispute that the Bulgarian court used to refer the case to the CJEU. The data subject had asserted a claim for compensation in court pursuant to Art. 82 GDPR in the amount of approx. EUR 510 against the controller.
With regard to non-material damage, the data subject argued that the personal data published without her consent could be misused in the future or that she herself could be blackmailed, attacked or kidnapped. The authority responsible for data processing argued, among other things, that there was no causal link and that all necessary measures had been taken to protect the IT systems and the data contained in them before and after the cyberattack, which was carried out by persons not employed by the authority.
The Opinion of the Advocate General has been available since April 2023. The Advocate General found that the data subject was obliged to prove that she had suffered real and certain emotional damage. It said this is a circumstance that national courts have to examine in each individual case.
CJEU: fear that personal data will be misused as a result of a cyberattack can be compensable non-material damage
In the referral proceedings, the CJEU ruled on 14 December 2023 (C-340/21) that the fear of possible misuse of personal data following a cyberattack in itself could constitute non-material damage to a data subject within the meaning of Art. 82 GDPR (incidentally, the Karlsruhe Higher Regional Court had ruled differently shortly beforehand in its Judgment dated 7 November 2023 (19 U 23/23) regarding a cyberattack:
Potential or hypothetical damage or mere concern about the theft of one's own personal data is not sufficient to constitute the existence of non-material damage within the meaning of Art. 82 (1) GDPR.
The CJEU emphasised that it is not relevant under Art. 82 (1) GDPR whether non-material damage is associated with the misuse of personal data by third parties that has already occurred or whether there is a fear that such use could occur in the future:
It should also be noted in the present case that Art. 82 (1) GDPR makes no distinction as to whether the "non-material damage" alleged by the data subject as a result of a proven breach of the provisions of the GDPR is linked to the misuse of their personal data by third parties that has already occurred at the time of their claim for compensation or whether it is linked to their fear that such use could occur in the future.
The CJEU underpinned this with a reference to the broad interpretation of the concept of damage intended by the legislation, which can be seen from the 85th and 146th recitals of the GDPR.
The burden of proof of the damage lies with the data subject
The CJEU agrees with the Advocate General that it is up to the data subject to prove that the negative consequences and their nature are compensable non-material damage. If this is based on a fear that personal data will be misused as a result of a cyberattack, then the national court must examine whether this fear can be categorised as well-founded in the specific circumstances and with regard to the data subject. Allegations of anxiety, therefore, do not automatically mean that damage has been proven: an examination of the individual circumstances is still required.
Exemption from liability only possible within limits
In this context, the CJEU also emphasised that the controller responsible for the processing must compensate for any damage which was made possible through an infringement of the GDPR caused in connection with processing, in particular against Art. 5 (1) f), Art. 24 and Art. 32 GDPR. The actions of cybercriminals can, therefore, only be attributed to the controller if the latter has enabled the criminal behaviour by disregarding the rules of the GDPR. Exemption from liability of the controller pursuant to Art. 82 (3) GDPR can only be taken into consideration if the controller can prove that there is no causal link between the breach of its data protection obligations and the damage suffered by the data subject, i.e. that it is not responsible in any way for the circumstance that caused the damage. On the same date, the CJEU issued another Judgment regarding Art. 82 GDPR and strengthened its comprehensive scope of application.
Judgment dated 14 December 2023 (C 456/22): claim for compensation for non-material damage does not require a noticeable disadvantage
On 14 December 2023, the CJEU also ruled in the case C-456/22 in response to a question referred from Germany regarding Art. 82 GDPR and referring to the aforesaid Judgment in May 2023, and once again clearly rejected the assumption of a so-called threshold of seriousness or minimum threshold. The court also emphasised again that a breach of the GDPR does not automatically trigger a claim for compensation under Art. 82 GDPR.
In this second Judgment dated 14 December 2023, the CJEU provided further clarity with regard to the concept of non-material damage within the meaning of Art. 82 GDPR. The referral concerned, among other things, the question of whether non-material damage requires a noticeable disadvantage as well as an objectively comprehensible impairment of personality-related interests or whether a merely short-term (lasting a few days) loss of the data subject's data through its publication on the internet, which remained without noticeable or adverse consequences, is sufficient. According to the CJEU, the right to compensation for non-material damage does not require any noticeable disadvantage. However – as the court emphasised in line with the other aforesaid Judgment dated 14 December 2023 – the data subject must prove the existence of adverse consequences of the GDPR infringement that led to the non-material damage.
Judgment dated 21 December 2023 (C-667/21): re: balancing function of Art. 82 GDPR for specific damage suffered as a result of GDPR infringements
With regard to case (C-667/21), which related to the processing of health data and compensation in the amount of EUR 20,000, the CJEU answered further questions referred from Germany in its Judgment dated 21 December 2023 regarding Art. 82 GDPR. The referral concerned, among other things, the issues whether the degree of fault of the controller (or processor) is relevant to the amount of non-material damage and whether, in particular, the lack of fault or minor fault of the controller (or processor) may be taken into account in its favour. In May 2023, the Advocate General presented its Opinion and argued that the degree of fault was not relevant for liability or the assessment of the amount of non-material damage to be compensated.
The CJEU referred to the purpose of Art. 82 GDPR and its compensatory function: the provision is intended to enable monetary compensation to be paid to compensate for specific loss suffered as a result of a GDPR infringement. It has no deterrent or punitive function. In accordance with the aforesaid Judgment, the CJEU interpreted Art. 82 GDPR to the effect that the fault of the controller is presumed unless the controller proves that the act causing the damage is not attributable to it. When assessing the amount of compensation to be paid for non-material damage, the CJEU stated that Art. 82 GDPR does not require the degree of fault to be taken into account.
As the CJEU has not yet commented further on the specific amount of damages to be paid, the following decision also deserves attention, however it does not relate at all to the GDPR.
Judgment dated 5 March 2024 (C-755/21 P): claim for compensation under the Europol Regulation – facilitation of evidence for the data subject
Even though this case that the CJEU ruled on in its Judgment dated 5 March 2024 C-755/21 P did not directly relate to Art. 82 GDPR, it did pertain among other things to a claim for compensation in connection with the disclosure of personal data. In the underlying case, Slovakian authorities and the EU Agency for Law Enforcement Cooperation (Europol) had investigated a case involving a murdered journalist and his fiancée, where Europol had extracted data from two mobile phones belonging to the claimant in the CJEU proceedings and had transmitted the data to the investigating authorities. A year later, transcripts of intimate communications between the claimant and his partner from an encrypted messenger service were obtained from this data together with information from Europol that the claimant had been arrested on suspicion of a financial crime and that he was connected to the so-called "mafia lists" and the "Panama Papers" and this was published in the Slovakian press. The claimant demanded non-material damage of EUR 50,000 before the General Court of the EU (EGC) for the disclosure of the data, and a further EUR 50,000 for including his name in the so-called "mafia lists" – i.e. a total of EUR 100,000. However, the EGC dismissed the case in 2021 (Judgment dated 29 September 2021 – T-528/20 [Kočner v Europol]), and the claimant appealed to the CJEU.
The CJEU disagreed with the assessment of the lower court. The latter had denied the claimant's claim because he had not proven that Europol had kept the said "mafia lists" and that the damage suffered by the claimant had been caused by a causal link to Europol. However, the CJEU emphasised that in order to assert joint and several liability, as was the case here, a data subject only has to prove at the first stage that unlawful data processing occurred during the cooperation between Europol and the authorities of the Member State concerned, which caused the damage claimed. However, according to the CJEU, the data subject does not have to prove which of these two bodies is responsible for the unlawful processing.
CJEU: claim for compensation in the amount of EUR 2,000 under the Europol Regulation
The EGC’s Judgment was overturned by the new ruling of the CJEU, which also immediately ruled on the matter itself. The CJEU only considered the appeals on the submissions relating to the disclosure of intimate communication data to be admissible and well founded and ruled that the claimant was entitled to compensation for non-material damage in the amount of EUR 2,000 against both authorities as joint and several debtors. The court said the data concerning the data subject had been disclosed without permission and made public (the ruling refers to press articles and websites, including those from an international network of investigative journalists), which infringed the claimant's right to respect for his private and family life and his communications (Article 7 of the Charter of Fundamental Rights) and impaired his honour and reputation.
However, these proceedings did not relate to compensation under the GDPR, but rather under the so-called Europol Regulation (Regulation (EU) 2016/794) and Art. 49 (3) and Art. 50 (1) of such, which provide for rules on compensation in the event of unlawful data processing. Recital 57 of the Europol Regulation already recognises the difficulties in providing proof that arise for a data subject in the event of unlawful data processing by Europol and the EU Member States:
"It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable."
However, the CJEU also emphasised the possibility for the defendant to prove that the alleged damage is not related to unlawful data processing in the context of cooperation between Europol and a Member State.
The CJEU hardly dealt with the amount of damages awarded and the considerable deviation of the amount to be paid (EUR 2,000) from the amount requested by the claimant (EUR 50,000). Compared to cases in the German courts where compensation has been awarded in the same amount, the amount in the CJEU proceedings appears low considering the seriousness of the crime and the intimacy of the data disclosed as well as the publication in the press: for example, the Hamm Higher Labour Court awarded compensation in the amount of EUR 2,000 for a transfer of an employee's personal data within a hospital network (Decision dated 14 December 2021 – 17 Sa 1185/20), the Berlin-Brandenburg Higher Labour Court awarded the same amount solely for a breach of duty to provide information under Art. 15 GDPR (Decision dated 18 November 2021 – 10 Sa 443/21) and similarly the Düsseldorf Higher Regional Court for the sending of a claimant's health file by the defendant statutory health insurance company to an incorrect email address (Decision dated 28 October 2021 – 16 U 275/20). In this present case, the CJEU merely pointed out that it could not be established that photographs had also been disclosed to unauthorised third parties, as alleged by the claimant, but that the unauthorised disclosure was limited to the transcribed conversations between the claimant and his partner. Therefore, the CJEU considered compensation in the amount of EUR 2,000 to be an appropriate amount of compensation. It remains to be seen whether the national courts will use this CJEU ruling, which awards a comparatively small sum in a serious case, as an opportunity to reduce the amounts of compensation awarded in the ordinary courts.
The suspense continues with regard to GDPR compensation for damages
Overall, the CJEU has further concretised the requirements and legal consequences for compensation claims under data protection law, in particular with regard to non-material damage with these aforementioned judgments. It remains to be seen how the national courts will deal with the requirements of the CJEU. In addition, further referral proceedings are underway before the CJEU regarding Art. 82 GDPR. It was only in September 2023, for example, that the German Federal Court of Justice (BGH) suspended proceedings and referred questions on compensation under the GDPR to the CJEU including whether Art. 82 (1) GDPR should be interpreted as meaning that mere negative feelings (e.g. anger, resentment, dissatisfaction, worry, fear) are sufficient for the assumption of non-material damage, although these are part of the general risk of life and daily experience, or whether a disadvantage beyond these feelings is required. In addition, the BGH will hear the so-called "scraping cases" in October 2024.
Further cases from Latvia relating to Art. 82 GDPR have been referred to the CJEU, such as, C-507/23, including whether Art. 82 (1) GDPR provides for an obligation to apologise as the only compensation for non-material damage if there is no possibility of restoring the original situation, and whether the motivation of the controller (e.g. fulfilment of a task in the public interest, lack of intent to cause harm or problems of understanding the applicable law) can be taken into account to reduce the claim.
Art. 82 GDPR takes on further contours through the latest CJEU case law
The CJEU's rulings in recent months have answered unresolved questions regarding Art. 82 GDPR and given the standards more precise contours.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.