The mere infringement of a provision of the GDPR is not in itself sufficient to confer a right to compensation, but any person who has suffered damage as a result of an infringement of the GDPR has the right under Article 82, to receive compensation.  There have been a number of recent CJEU Judgments on Article 82, in Cases C-340/21, on Cyberattack Data Breach Liability, Case C-667/201, on Health Data Processing, Case C687-21, on Negligence in Data Handling, and Case C-456/22, on Thresholds of Non-Material Damage, where data subjects sought compensation for damage arising from the publication of their names, on the internet, by a Municipality, without their consent, as part of the Agenda for a Municipal Council Meeting.  As the Irish Legal News identifies, a number of conclusions may be drawn from these and earlier cases including that the right to compensation for damages for breach of the GDPR requires a claimant to establish an infringement of the GDPR, that he has suffered damage, and that there is a causal link between the infringement and the damage suffered; the fact of an infringement of the GDPR gives rise to a presumption that the technical and organisational measures adopted by the control/processor were insufficient, but that presumption can be rebutted by a data controller; the concept of damage is broadly interpreted, with no de minimis threshold; non-material damage may include a loss of control over personal data or fear about potential future misuse, but actual damage must be proven by a claimant; and the damages regime provided by Article 82 serves a compensatory function only, and does not have a punitive or deterrent function.

This entry was posted on Thursday, February 22nd, 2024 at 12:46 pm and is filed under Judicial Control, Liability and Litigation. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.