GDPR Compensation Claims

One of the chief focuses of the General Data Protection Regulation (GDPR), which becomes enforceable on May 25 2018, is to guarantee that the rights and freedoms of people living in EU states are protected, in relation to the gathering of personal data.

With this aim in mind, Article 82 of the GDPR addresses circumstances where the regulations have not been complied with. This can lead to  the data subject being able to sue for compensation in the courts.

The potential for having to pay out compensation should mean that firms review all of their data and processes, in order to ensure that they are compliant, and that they restrict the risk of data breaches happening. Until the first compensation claim is field, it is difficult to account for how much compensation will be payable, but amounts could potentially be massive.

Data subjects are already able to make compensations claims against data controllers if there is a problem with the processing of their personal data which endangers their rights or freedoms. GDPR expands this ability by allowing action to be taken against data processors as well as data controllers. This could mean that the amount of compensation claims made goes up, along with the increase in the number of people to take action against.

GDPR also stresses that compensation can be sought for both material and non-material damage. This means that a data subject can file a claim in respect of damage to reputation in the same way that they can make a claim in relation to financial losses. There is little change to the abilities which are currently in place, but it does further concentrate on the position.

One important fact to be aware of is that data controllers and processors cannot be held responsible if they were in no way responsible the incident which caused the material or non-material damage. However, it is not yet clear what other actions can be taken in instances like this. Along with other aspects of compensation, such as the potential penalties payable, we must wait until the first action is taken, to see what occurs.

Author: GDPR News