With the introduction of the General Data Protection Regulation (GDPR), almost five years ago now, there was a lot of fuss about the broad possibility that the data protection authorities (in the Netherlands the Autoriteit Persoonsgegevens (AP)) have been given to issue fines when the GDPR is violated. In particular, the fact that these fines can reach astronomical amounts caused a lot of unrest among organizations, which (partly) because of this had to take the GDPR seriously. In practice it has now become clear that the AP and other data protection authorities actually use their power and thus imposes (high) fines. The highest fine the AP has imposed to date is a fine to the Dutch tax authorities in the amount of EUR 3,700,000.
Another reason why an organization may suffer financial consequences when the GDPR is violated is because data subjects (those whose personal data is processed) suffer damages due to the violation of the GDPR and recover these damages from the processing organization. With such damage claims, the question can still be asked whether data subjects actually suffer damages and, if so, how these damages should be assessed.
This blog will address the questions of when data subjects can claim damages in connection with violations of the GDPR and what amount of damages an organization will then owe. Finally, we will consider whether, also in light of the answers to the questions posed above, organizations should be concerned about possible damages claimed by data subjects.
When an organization violates the GDPR when processing personal data, there will often be a violation of data subjects' rights. Because the right to privacy is a fundamental right, there will even be a violation of a fundamental right of data subjects. It is therefore clear that the interests of data subjects will be affected. The question is, however, whether the data subjects have actually suffered damage that qualifies for compensation. In the Netherlands, only the damage actually suffered is compensated. In the case of a violation of the AVG, it is often difficult to prove precisely that and what damage has actually been suffered.
Of course, this is not always the case. When personal data have been stolen, as a result of which a person's bank account could subsequently be plundered, the damage will be fairly easy to prove. The damage shall then consist of the amount that was initially in the bank account of the person concerned, which that person has now lost. But, if the damages concern information that is out in the open that you would rather have kept private, for example because you are ashamed of it, it is a lot harder to prove that there are indeed damages that qualify for compensation.
As a rule, in order to show that there are damages that qualifies for compensation, the data subject must proof that his honor or reputation were harmed or that he was otherwise affected. This is not necessarily the case with a violation of the GDPR. Case law (which is not always consistent) generally assumes that there must be additional circumstances in order to assume that the data subjects' honor or reputation have indeed been harmed, or that their personal rights have been affected in some other way. Circumstances that may be relevant in this regard include, for example, the type of personal data that has been processed (for example, a breach involving sensitive personal data will generally be more likely to give rise to an assumption of harm) or the status of a specific data subject (for example, a public person will have a greater interest in keeping certain information secret).
Data subjects are thus certainly entitled to compensation after a breach of their privacy rights in various situations. The bottom-line however is that after a breach of the AVG, a right to compensation does not necessarily exist for all data subjects, but requires additional circumstances.
In his Opinion in UI v Österreichische Post AG, Mr. Manuel Campos Sánchez-Bordona, Advocate General at the European Court of Justice, commented on the possibility of claiming damages under the GDPR. In his opinion, he considered that a mere breach of the GDPR is insufficient to assume damages to data subjects and that "mere annoyance" resulting from a breach of the GDPR cannot lead to damages. Thus, the AG also seems reluctant to quickly award damages for breaches of the GDPR.
Once it has been determined that an individual has suffered damages, it obviously remains to be determined how much those damages were. In the case of a robbed bank account, again, it will not be very difficult to determine this. But in the case of damage that is not of a material nature, this will again be a lot more difficult. The amount attached to such a breach must be determined by a judge.
In practice, we see that the amounts compensated to those involved are often (relatively) limited. Compensation of around EUR 500 is not exceptionally low and compensation above EUR 2,000 is rare. All in all, therefore, courts are generally not inclined to award high damages to data subjects.
First of all, every organization should of course comply with the law and GDPR as much as possible. Not only because of the risk of financial consequences if this is not done (after all, even if the conclusion would be that damages are no cause for panic, there is always the possibility that a fine will be imposed), but also from the consideration that everyone's fundamental rights should be respected.
Although there is quite a threshold for data subjects, namely that they must prove that they have suffered damages as a result of the GDPR violation and that the damages awarded are often on the low side, liability following an GDPR violation still poses quite a risk. In practice, it is in namely possible to initiate a class action following a violation of the GDPR. Affected parties can then unite and jointly file a claim. It goes without saying that if a large group of data subjects claims a small amount of compensation, there will still be a considerable financial consequence for the organization involved.
Finally, it is not just the compensation to be paid itself. In addition, litigation costs incurred in connection with the claim must also be considered.
In addition to fines from the AP, claims from data subjects as a result of a violation of the GDPR can also be quite costly. Prevention is therefore also in this case better than cure. We are of course happy to help prevent such claims. But if it comes to a claim, we can also assist you in defending against it. Would you like to put your privacy affairs in order, or would you like help with a claim you have already received? Please contact email@example.com.
18 Sep 23
08 Sep 23
07 Aug 23
11 Jul 23
10 Jul 23
19 Jun 23
16 May 23
10 May 23
03 May 23
02 May 23
12 Apr 23
17 Mar 23
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
*This field is requiredI already have an account
Follow what you find interesting
Receive recommendations based on your interests
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.