If you are a resident of the EU and you had your personal information leaked or compromised, especially health data exposed or financial data leaked, you might be eligible for up to €1,000 as compensation for economic and non-economic harm in certain cases. General Data Protection Regulations (GDPR) is an EU wide law that protects your privacy rights in such unfortunate cases.
Read below useful information on GDPR breach compensation.
GDPR is an abbreviation from the General Data Protection Regulation (GDPR) which is a legal framework within the whole European Union and European Economic Area (read below about the list of EEA countries) that sets guidelines for the collection and processing of personal information from individuals who live in the EEA countries. With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. GDPR was adopted in April 2016 and, after a two-year transition period, this Regulation came into full effect in May 2018.
Under the Regulation, the users must be notified of data the organization (service provider) collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action.
All the gathered personal data shall be reliably secured by the organization. In case a personal data breach happens, the organization shall be fined and pay compensation to the affected users.
Any organization must also notify users in a timely way (within 72 hours once a breach is discovered) if any personal data organization has is breached. If the organization fails to notify victims of a data breach, an organization will face severe penalties.What information is covered by the GDPR?
GDPR covers any personal data of the EU citizens and residents.
Personal data is any information that relates to an individual who can be directly or indirectly identified such as if such information is not publicly available:
GDPR covers all countries of the European Economic Area (EEA), which includes Iceland, Liechtenstein and Norway and the countries of the European Union (the “EU”): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
General data protections apply to all citizens and residents in the above countries. So, is it fair to say GDPR works based on my residency? – Yes, if your permanent address is in any of the above countries, your data is protected by GDPR and you enjoy a list of the world best data privacy rights, including the right to be forgotten or deleted and the right to compensation for any use or misuse of information.
Does it mean that GDPR does not apply to people not living in the EU or EEA? - No, not exactly. Even if you are not a resident of the EU or EEA, you can still enjoy general data protections implemented in the EU. There are three general types of situation when your personal data can be protected by the GDPR:
The GDPR gives you a right to claim compensation from an organization if you have suffered a data breach . That means if your data was stolen, mis-used or disclosed without your consent you have the right to bring a claim for compensation.
You are eligible for the compensation in case of both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress and emotional suffering).
However, if you can provide any evidence of the suffered harm or damage, this increases the amount of compensation you can get.
GDPR identifies the following examples of the personal data processing breach which could lead to physical, material or non-material damage, in particular:
Examples of GDPR breaches
You place an order on a website. The site suffers a cyber-attack because it doesn’t have adequate security. Your credit card details have been put on another website and used to buy items you never ordered. You can claim compensation from the website for the financial damage as they have breached the data protection law by not providing adequate security when processing data.
The medical institution has sent the results of the HIV positive test to the patient’s place of the work address. Due to poor sealing of the letter, the result becomes known to the employer and leads to job loss by the patient. The patient can claim compensation from the medical institution for the job loss and suffered phycological distress even before the job loss, but out of the mere fact of the data breach.
A speeding camera pictures a man travelling by car to Amsterdam secretly dating and cheating on his wife which is not sensitive or damaging in itself. But harm follows indirectly when wife gets info about the fine and seeks divorce after learning about cheating. Hence, the man shall be entitled to file for data breach compensation in case the proper confidentiality of the speeding tickets is not secured even before any harmful event happens.
I hear about multi-million fines for the data breaches imposed on companies like Google, etc. Do I get part of this money as compensation for the breach of my data? – No, there is a difference between a fine and compensation under the GDPR. Fine is imposed by the authority and is paid to the government. Compensation shall be paid separately by the organization in breach to the victims of data breach.
Do I automatically get compensated by any company in breach of my personal data? – No, you need to act proactively and claim compensation. You can instruct a firm like us where we can represent you for a separate legal case on a No Win, No Fee basis.
In order to check if you can be potentially eligible for compensation you have to make sure that:
Those who did not suffer a financial loss may well still have been extremely worried about what happened. Perhaps they were concerned that they would be victims of crime in the future or that money may have been stolen from their accounts. This may mean they had a case for moral damages even without real harm (material damage) taking immediate effect. According to the GDPR, you should have the right to compensation for inconvenience, distress, annoyance and loss of control of your personal data.
The amount of compensation will depend on how serious the infringement was and its impact on you, particularly when assessing the damages and distress you suffered. Also, different countries may have different court practice regarding the amount of compensation.
Dutch courts used to award compensation in the amount of EUR 250 to EUR 500 to each individual for a personal data breach. We expect that this practice will develop further increasing the amount of compensation.
It is worth noting that in its decision the Administrative District Court of Overijssel in the Netherlands emphasized that “the concept of damage must – in accordance with the objectives of the GDPR – be broadly interpreted (paragraph 146 of the preamble to the GDPR), which means that the mere fact that the damage cannot be specified precisely and may be relatively small in scope cannot constitute grounds for rejecting any claim thereto”
Since the moment GDPR came into force, there are no fewer than 6 cases in the Netherlands imposing fines on the violators of GDPR from EUR 50,000 to EUR 900,000.
The court practice regarding compensation for the data breach is under development in Germany. German courts are still reluctant to award compensation “where there is "perceived discomfort or minor trivialities" but no "serious impairment to a person's self-image or reputation".
However, the company in breach may be willing to settle pre-court and compensate substantiated damages to the individual whose personal data was breached.
Since GDPR came into force, there are no fewer than 26 cases imposing fines on the violators of GDPR in Germany. According to the GDPR ENFORCEMENT TRACKER, the fines for violation of the GDPR in Germany constituted from EUR 118 to EUR 14,500,000. Please pay attention that fines are different from compensation. We are writing about this in chapter 3 above.
Fines prove the degree of guilt of the company. The higher the amount is the higher is the degree of guilt and so should compensation be adjusted accordingly.
We have found a few interesting court cases in Germany with respect to the compensation for data breach:
In one case, where the social network deleted the users' post, the court said that in the context of the case before it, the mere blocking of the internet users' data, as well as the deletion of their data, did not constitute 'damage' within the meaning of the GDPR. In its ruling, the Dresden court said that it may have reached a different view on the question of compensation in cases where a breach of data protection laws impacts multiple people in the same way and where the infringement stems from a conscious, illegal and large-scale act in pursuit of commercial gain.
The plaintiff received an email from the defendant requesting his consent to an email newsletter. In Germany, this is considered spam and also a GDPR violation. The plaintiff claimed compensation for immaterial damages in the amount of € 500.00 from the defendant pursuant to Art. 82 (1) GDPR. The court dismissed the action because the plaintiff had already received an ex gratia payment of €50.00 from the defendant and compensation for immaterial damage going beyond this amount was no longer reasonable. In other cases, the compensation could have been significantly higher if the violation is more serious.
France as a member of the EU and EEA has also implemented GDPR. We have not found so far court cases regarding compensation for the data breach. However, French law also allows for group class actions including personal data protection in compliance with the GDPR requirement.
Since the moment GDPR came into force, there are no fewer than 6 cases imposing fines on the violators of GDPR from EUR 20,000 to EUR 50,000,000 (Google case). In view of such fines, we anticipate that cases with compensation under GDPR will also take place soon.
These are estimated amounts of compensation based on prior data breach awards in the UK (to read more about compensation in the UK):
Courts have not settled on exact compensation brackets yet. In some cases where sensitive information was leaked or a celebrity was involved, or a data breach had a major effect on the person, courts carefully assessed data breach damages and data breach payout can be much greater and reach £30,000 - £50,000.
Up until last year, it was not possible in the UK to make a claim relating to data protection without evidence of a financial loss. This changed with the Vidal-Hall vs Google case. The case established that a claimant could claim compensation even when they had not experienced a financial loss. Instead, their claim could be based on non-financial damages, known as moral damages, an example of which might be emotional distress. However, as it only took place last year, there aren’t yet examples of how much might be awarded in the case of something like a data breach.
To claim compensation a professionally drafted and substantiated claim has to be filed to the company or organization concerned or before the national courts. The compensation can be claimed before the courts of the EU Member State where the company is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.
You can instruct a firm like us where we can represent you for a separate data breach case on a No Win, No Fee basis.
Your right to compensation under Article 82(1) GDPR does eventually expire, but the time limit varies from one country to the other.
You should note that the country you can claim it in is decided by your nationality or residency, or what court has jurisdiction over that company for that particular case of a data breach.
This is a handy chart for you with limitation periods for data compensation claims on a country basis:
* the limitation period in Germany expires on the last day of the third calendar year (for example, the limitation period for a data breach on 29/05/2020 expires on 31/12/2023).