February 22nd, 2024 by James Goudie KC

The mere infringement of a provision of the GDPR is not in itself sufficient to confer a right to compensation, but any person who has suffered damage as a result of an infringement of the GDPR has the right under Article 82, to receive compensation.  There have been a number of recent CJEU Judgments on Article 82, in Cases C-340/21, on Cyberattack Data Breach Liability, Case C-667/201, on Health Data Processing, Case C687-21, on Negligence in Data Handling, and Case C-456/22, on Thresholds of Non-Material Damage, where data subjects sought compensation for damage arising from the publication of their names, on the internet, by a Municipality, without their consent, as part of the Agenda for a Municipal Council Meeting.  As the Irish Legal News identifies, a number of conclusions may be drawn from these and earlier cases including that the right to compensation for damages for breach of the GDPR requires a claimant to establish an infringement of the GDPR, that he has suffered damage, and that there is a causal link between the infringement and the damage suffered; the fact of an infringement of the GDPR gives rise to a presumption that the technical and organisational measures adopted by the control/processor were insufficient, but that presumption can be rebutted by a data controller; the concept of damage is broadly interpreted, with no de minimis threshold; non-material damage may include a loss of control over personal data or fear about potential future misuse, but actual damage must be proven by a claimant; and the damages regime provided by Article 82 serves a compensatory function only, and does not have a punitive or deterrent function.

Comments are closed.