Compensation under the GDPR: cause for panic or not?

09 Mar '23

Author(s): Dennis Zieren and Lars Boer

With the introduction of the General Data Protection Regulation (GDPR), almost five years ago now, there was a lot of fuss about the broad possibility that the data protection authorities (in the Netherlands the Autoriteit Persoonsgegevens (AP)) have been given to issue fines when the GDPR is violated. In particular, the fact that these fines can reach astronomical amounts caused a lot of unrest among organizations, which (partly) because of this had to take the GDPR seriously. In practice it has now become clear that the AP and other data protection authorities actually use their power and thus imposes (high) fines. The highest fine the AP has imposed to date is a fine to the Dutch tax authorities in the amount of EUR 3,700,000.

Another reason why an organization may suffer financial consequences when the GDPR is violated is because data subjects (those whose personal data is processed) suffer damages due to the violation of the GDPR and recover these damages from the processing organization. With such damage claims, the question can still be asked whether data subjects actually suffer damages and, if so, how these damages should be assessed.

This blog will address the questions of when data subjects can claim damages in connection with  violations of the GDPR and what amount of damages an organization will then owe. Finally, we will consider whether, also in light of the answers to the questions posed above, organizations should be concerned about possible damages claimed by data subjects.

Can damages be claimed for a breach of the GDPR?   

When an organization violates the GDPR when processing personal data, there will often be a violation of data subjects' rights. Because the right to privacy is a fundamental right, there will even be a violation of a fundamental right of data subjects. It is therefore clear that the interests of data subjects will be affected. The question is, however, whether the data subjects have actually suffered damage that qualifies for compensation. In the Netherlands, only the damage actually suffered is compensated. In the case of a violation of the AVG, it is often difficult to prove precisely that and what damage has actually been suffered.

Of course, this is not always the case. When personal data have been stolen, as a result of which a person's bank account could subsequently be plundered, the damage will be fairly easy to prove. The damage shall then consist of the amount that was initially in the bank account of the person concerned, which that person has now lost. But, if the damages concern information that is out in the open that you would rather have kept private, for example because you are ashamed of it, it is a lot harder to prove that there are indeed damages that qualify for compensation.

As a rule, in order to show that there are damages that qualifies for compensation, the data subject must proof that his honor or reputation were harmed or that he was otherwise affected. This is not necessarily the case with a violation of the GDPR. Case law (which is not always consistent) generally assumes that there must be additional circumstances in order to assume that the data subjects' honor or reputation have indeed been harmed, or that their personal rights have been affected in some other way. Circumstances that may be relevant in this regard include, for example, the type of personal data that has been processed (for example, a breach involving sensitive personal data will generally be more likely to give rise to an assumption of harm) or the status of a specific data subject (for example, a public person will have a greater interest in keeping certain information secret).

Data subjects are thus certainly entitled to compensation after a breach of their privacy rights in various situations. The bottom-line however is that after a breach of the AVG, a right to compensation does not necessarily exist for all data subjects, but requires additional circumstances.

In his Opinion in UI v Österreichische Post AG, Mr. Manuel Campos Sánchez-Bordona, Advocate General at the European Court of Justice, commented on the possibility of claiming damages under the GDPR. In his opinion, he considered that a mere breach of the GDPR is insufficient to assume damages to data subjects and that "mere annoyance" resulting from a breach of the GDPR cannot lead to damages. Thus, the AG also seems reluctant to quickly award damages for breaches of the GDPR.

To what amount might a data subject be entitled to?

Once it has been determined that an individual has suffered damages, it obviously remains to be determined how much those damages were. In the case of a robbed bank account, again, it will not be very difficult to determine this. But in the case of damage that is not of a material nature, this will again be a lot more difficult. The amount attached to such a breach must be determined by a judge.

In practice, we see that the amounts compensated to those involved are often (relatively) limited. Compensation of around EUR 500 is not exceptionally low and compensation above EUR 2,000 is rare. All in all, therefore, courts are generally not inclined to award high damages to data subjects.

Should organizations be concerned about possible damages due after violation of the GDPR?

First of all, every organization should of course comply with the law and GDPR as much as possible. Not only because of the risk of financial consequences if this is not done (after all, even if the conclusion would be that damages are no cause for panic, there is always the possibility that a fine will be imposed), but also from the consideration that everyone's fundamental rights should be respected.

Although there is quite a threshold for data subjects, namely that they must prove that they have suffered damages as a result of the GDPR violation and that the damages awarded are often on the low side, liability following an GDPR violation still poses quite a risk. In practice, it is in namely possible to initiate a class action following a violation of the GDPR. Affected parties can then unite and jointly file a claim. It goes without saying that if a large group of data subjects claims a small amount of compensation, there will still be a considerable financial consequence for the organization involved.

Finally, it is not just the compensation to be paid itself. In addition, litigation costs incurred in connection with the claim must also be considered.

Conclusion

In addition to fines from the AP, claims from data subjects as a result of a violation of the GDPR can also be quite costly. Prevention is therefore also in this case better than cure. We are of course happy to help prevent such claims. But if it comes to a claim, we can also assist you in defending against it. Would you like to put your privacy affairs in order, or would you like help with a claim you have already received? Please contact privacy@ploum.nl.

Contact

Attorney at law, Partner

Dennis Zieren

Expertises:  Procurement law,IT-Law,Privacy law,Litigation,Cybersecurity , Technology, Media and Telecom,Health Care & Life Sciences,Transport and Logistics, E-health,E-commerce,

Attorney at law

Lars Boer

Expertises:  IT-Law,Privacy law,Procurement law,Cybersecurity , Technology, Media and Telecom, Commercial Contracts,Start-up en Scale-up,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Subject(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Change your details' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Change your details' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.