GDPR Breach Compensation for data leaks

Did you have a data breach? You might have a right to compensation - up to €1,000CHECK COMPENSATION

What is GDPR and what personal information is covered by the GDPR?

GDPR is…

GDPR is an abbreviation from the General Data Protection Regulation (GDPR) which is a legal framework within the whole European Union and European Economic Area (read below about the list of EEA countries) that sets guidelines for the collection and processing of personal information from individuals who live in the EEA countries. With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. GDPR was adopted in April 2016 and, after a two-year transition period, this Regulation came into full effect in May 2018.

Under the Regulation, the users must be notified of data the organization (service provider) collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action.

All the gathered personal data shall be reliably secured by the organization. In case a personal data breach happens, the organization shall be fined and pay compensation to the affected users.

Any organization must also notify users in a timely way (within 72 hours once a breach is discovered) if any personal data organization has is breached. If the organization fails to notify victims of a data breach, an organization will face severe penalties.What information is covered by the GDPR?

GDPR covers any personal data of the EU citizens and residents.

Personal data is any information that relates to an individual who can be directly or indirectly identified such as if such information is not publicly available:

• name
• medical or financial information (medical diagnosis, prescription information, admission and discharge forms)
• email addresses
• location data
• ethnicity
• gender
• biometric data (fingerprints, eye scans, body measurement)
• physiological, genetic, mental data
• religious beliefs
• political opinions
• online identifiers (web cookies, IP address, type of device)
• any other information that may identify an individual: biometric data, such as: fingerprints, eye scans, body measurement.

What countries does GDPR cover?

GDPR covers all countries of the European Economic Area (EEA), which includes Iceland, Liechtenstein and Norway and the countries of the European Union (the “EU”): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

General data protections apply to all citizens and residents in the above countries. So, is it fair to say GDPR works based on my residency? – Yes, if your permanent address is in any of the above countries, your data is protected by GDPR and you enjoy a list of the world best data privacy rights, including the right to be forgotten or deleted and the right to compensation for any use or misuse of information.

Does it mean that GDPR does not apply to people not living in the EU or EEA? - No, not exactly. Even if you are not a resident of the EU or EEA, you can still enjoy general data protections implemented in the EU. There are three general types of situation when your personal data can be protected by the GDPR:

1. When you are located in any EEA country and your personal data is collected by any company, that can be located even outside of the EEA, in connection with the provision of goods and services by such an organization. For instance, you live in Germany and decided to use Emirates Airlines (based in UAE). Your personal data, that you filled-in on the Emirates website, shall be protected by the GDPR.
2. When the personal data is collected by the company, located in the EEA, in the context of the business activity of such company. For instance, you are a resident of China, and you decided to use the services of the medical clinic located in France. Your personal data collected by the clinic are protected by the GDPR
3. If you are visiting the EEA, any personal data collected from you while monitoring your behaviour is protected by the GDPR. For instance, you are American doing Eurotrip, any location data collected from you during your movement within EEA is protected by the GDPR.

When can you get compensation for Data Breach under GDPR?

The GDPR gives you a right to claim compensation from an organization if you have suffered a data breach . That means if your data was stolen, mis-used or disclosed without your consent you have the right to bring a claim for compensation.

You are eligible for the compensation in case of both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress and emotional suffering).

However, if you can provide any evidence of the suffered harm or damage, this increases the amount of compensation you can get.

GDPR identifies the following examples of the personal data processing breach which could lead to physical, material or non-material damage, in particular:

• where the data breach may lead to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
• where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
• where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures;
• where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles;
• where personal data of vulnerable natural persons, in particular of children, are processed, or
• where the processing involves a large amount of personal data and affects a large number of data subjects.

Examples of GDPR breaches

You place an order on a website. The site suffers a cyber-attack because it doesn’t have adequate security. Your credit card details have been put on another website and used to buy items you never ordered. You can claim compensation from the website for the financial damage as they have breached the data protection law by not providing adequate security when processing data.

The medical institution has sent the results of the HIV positive test to the patient’s place of the work address. Due to poor sealing of the letter, the result becomes known to the employer and leads to job loss by the patient. The patient can claim compensation from the medical institution for the job loss and suffered phycological distress even before the job loss, but out of the mere fact of the data breach.

A speeding camera pictures a man travelling by car to Amsterdam secretly dating and cheating on his wife which is not sensitive or damaging in itself. But harm follows indirectly when wife gets info about the fine and seeks divorce after learning about cheating. Hence, the man shall be entitled to file for data breach compensation in case the proper confidentiality of the speeding tickets is not secured even before any harmful event happens.

GDPR Fine vs GDPR Compensation

I hear about multi-million fines for the data breaches imposed on companies like Google, etc. Do I get part of this money as compensation for the breach of my data? – No, there is a difference between a fine and compensation under the GDPR. Fine is imposed by the authority and is paid to the government. Compensation shall be paid separately by the organization in breach to the victims of data breach.

Do I automatically get compensated by any company in breach of my personal data? – No, you need to act proactively and claim compensation. You can instruct a firm like us where we can represent you for a separate legal case on a No Win, No Fee basis.

When Are You Eligible for Data Breach Compensation under GDPR?

In order to check if you can be potentially eligible for compensation you have to make sure that:

• A data breach happened. If the company notified you about a data breach - your personal information was likely compromised. Save any data breach notice and any other relevant information you might have received.
• Company or you are the resident of the EEA or breach happened during monitoring of your activity at the territory of EEA.
• The statute of limitation period did not pass. You can check the statute of limitations period for different EU countries here below
• The data breach that affected you caused “material damage” (e.g. you have lost money) or “non-material harm” on you (e.g. you have suffered distress and emotional suffering). The proof of damage is not required but may help to achieve higher compensation.

Those who did not suffer a financial loss may well still have been extremely worried about what happened. Perhaps they were concerned that they would be victims of crime in the future or that money may have been stolen from their accounts. This may mean they had a case for moral damages even without real harm (material damage) taking immediate effect. According to the GDPR, you should have the right to compensation for inconvenience, distress, annoyance and loss of control of your personal data.

Check if you might have a right to compensation - up to €1,000CHECK COMPENSATION

How Much Compensation Should You Get for a Data Breach Under the GDPR

The amount of compensation will depend on how serious the infringement was and its impact on you, particularly when assessing the damages and distress you suffered. Also, different countries may have different court practice regarding the amount of compensation.

Data breach compensation in the Netherlands

Dutch courts used to award compensation in the amount of EUR 250 to EUR 500 to each individual for a personal data breach. We expect that this practice will develop further increasing the amount of compensation.

It is worth noting that in its decision the Administrative District Court of Overijssel in the Netherlands emphasized that “the concept of damage must – in accordance with the objectives of the GDPR – be broadly interpreted (paragraph 146 of the preamble to the GDPR), which means that the mere fact that the damage cannot be specified precisely and may be relatively small in scope cannot constitute grounds for rejecting any claim thereto”

Since the moment GDPR came into force, there are no fewer than 6 cases in the Netherlands imposing fines on the violators of GDPR from EUR 50,000 to EUR 900,000.

Data breach compensation in Germany

The court practice regarding compensation for the data breach is under development in Germany. German courts are still reluctant to award compensation “where there is "perceived discomfort or minor trivialities" but no "serious impairment to a person's self-image or reputation".

However, the company in breach may be willing to settle pre-court and compensate substantiated damages to the individual whose personal data was breached.

Since GDPR came into force, there are no fewer than 26 cases imposing fines on the violators of GDPR in Germany. According to the GDPR ENFORCEMENT TRACKER, the fines for violation of the GDPR in Germany constituted from EUR 118 to EUR 14,500,000. Please pay attention that fines are different from compensation. We are writing about this in chapter 3 above.

Fines prove the degree of guilt of the company. The higher the amount is the higher is the degree of guilt and so should compensation be adjusted accordingly.

We have found a few interesting court cases in Germany with respect to the compensation for data breach:

In one case, where the social network deleted the users' post, the court said that in the context of the case before it, the mere blocking of the internet users' data, as well as the deletion of their data, did not constitute 'damage' within the meaning of the GDPR. In its ruling, the Dresden court said that it may have reached a different view on the question of compensation in cases where a breach of data protection laws impacts multiple people in the same way and where the infringement stems from a conscious, illegal and large-scale act in pursuit of commercial gain.

The plaintiff received an email from the defendant requesting his consent to an email newsletter. In Germany, this is considered spam and also a GDPR violation. The plaintiff claimed compensation for immaterial damages in the amount of € 500.00 from the defendant pursuant to Art. 82 (1) GDPR. The court dismissed the action because the plaintiff had already received an ex gratia payment of €50.00 from the defendant and compensation for immaterial damage going beyond this amount was no longer reasonable. In other cases, the compensation could have been significantly higher if the violation is more serious.

Data breach compensation in France

France as a member of the EU and EEA has also implemented GDPR. We have not found so far court cases regarding compensation for the data breach. However, French law also allows for group class actions including personal data protection in compliance with the GDPR requirement.

Since the moment GDPR came into force, there are no fewer than 6 cases imposing fines on the violators of GDPR from EUR 20,000 to EUR 50,000,000 (Google case). In view of such fines, we anticipate that cases with compensation under GDPR will also take place soon.

Data breach compensation amounts in the UK.

These are estimated amounts of compensation based on prior data breach awards in the UK (to read more about compensation in the UK):

• from £750 to £2,000 - for a low-risk data breach where information is not sensitive and where no financial harm was suffered, as compensation for distress.
• from £3,000 to £8,000 where sensitive information was compromised (medical or financial data breach), but the breach has not caused severe losses or has not been intentional.

Courts have not settled on exact compensation brackets yet. In some cases where sensitive information was leaked or a celebrity was involved, or a data breach had a major effect on the person, courts carefully assessed data breach damages and data breach payout can be much greater and reach £30,000 - £50,000.

Up until last year, it was not possible in the UK to make a claim relating to data protection without evidence of a financial loss. This changed with the Vidal-Hall vs Google case. The case established that a claimant could claim compensation even when they had not experienced a financial loss. Instead, their claim could be based on non-financial damages, known as moral damages, an example of which might be emotional distress. However, as it only took place last year, there aren’t yet examples of how much might be awarded in the case of something like a data breach.

Would you like to check if you can be eligible for compensation? CHECK NOW

How can I claim compensation for Data Breach under the GDPR?

To claim compensation a professionally drafted and substantiated claim has to be filed to the company or organization concerned or before the national courts. The compensation can be claimed before the courts of the EU Member State where the company is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

You can instruct a firm like us where we can represent you for a separate data breach case on a No Win, No Fee basis.

What Is a Time Limit to File a Claim for GDPR Compensation?

Your right to compensation under Article 82(1) GDPR does eventually expire, but the time limit varies from one country to the other.

You should note that the country you can claim it in is decided by your nationality or residency, or what court has jurisdiction over that company for that particular case of a data breach.

This is a handy chart for you with limitation periods for data compensation claims on a country basis:

* the limitation period in Germany expires on the last day of the third calendar year (for example, the limitation period for a data breach on 29/05/2020 expires on 31/12/2023).

Still thinking? Check if you might have the right to compensation (risk free)CHECK IT NOW