Breaching GDPR can be expensive. The European supervisory authorities' decision is creating headlines due to the often spectacularly high fines (e.g. Meta has had to pay a total of over 2 billion Euros in fines through several decisions in recent years). Individuals can, however, also make claims for damages if their personal data has been processed in contravention of GDPR. However, thus far, damages set in the form of ’compensation of violations to personal integrity’ to individuals have been modest in the context. At the same time, it is becoming more common that such claims are targeted at companies and we are receiving an increasing number of questions about this. The European Court published guidance in relation to the issue prior to the summer, and a summary is provided below of what applies in these situations.
CONDITIONS FOR DAMAGES
Persons who consider themselves to have been affected by a breach of GDPR are entitled to claim compensation for the damage they have suffered from either the personal data controller or the personal data processor that participated in the processing. For example, it can concern situations where personal data has been shared illegally or there is no legal basis for the processing.
For liability for damages to be present, three criteria must be met:
- Breach. A breach of GDPR (or where appropriate another applicable data protection legislation) must be established.
- Actual damage. The individual must be able to demonstrate that s/he actually suffered damage, either material damage (i.e. pecuniary damage) or non-material damage (i.e. non-pecuniary damage, a type of compensation of violations to personal integrity). If a breach has taken place, but the individual has not suffered any harm, there is consequently no liability for damages.
- There must be a causal connection between the breach of the data protection legislation and the damage suffered.
The Swedish Privacy Protection Authority (IMY) does not bring actions for damages against individuals. Individuals are instead directed to bring an action in court, which they are always entitled to do. It is therefore ultimately the court that determines whether damages are to be paid and what magnitude they are to be.
HOW LARGE CAN THE DAMAGES BE?
The damages levels that apply according to Swedish case law are normally between SEK 3,000 - 5,000 in relation to non-pecuniary damage, but in a few individual cases have been at the levels of SEK 15,000 – 35,000. An individual is also entitled to compensation for material damages that s/he suffered due to the breach, e.g. if s/he is subject to identity theft or fraud, but this type of damages is very unusual.
Damages in foreign courts can be higher. For example, in several cases, German courts have set non-pecuniary damages at about 2,000 Euros.
So even though the level of damages in individual cases is low, the amounts can be major if a large number of persons are affected or if the breach leads to material damages.
WHO PAYS THE DAMAGES?
As set out above, in principle individuals are entitled to claim compensation either from the personal data controller or the personal data processor.
The point of departure is that it is personal data controllers that are liable for damages caused through infringements of the regulation. A personal data processor is only liable for damages that have arisen as a result of the processing if it has not fulfilled its obligations as personal data processor or acted outside of or contrary to the personal data controller's legal instructions
If several personal data controllers or personal data processors are involved in the same processing, for example, through an IT operation or a common database, the starting point is that the data subject has the right to claim compensation for the entire damages from any of these actors. These actors may then regulate the liability for damages between themselves through the right of recourse provided in GDPR. A condition for liability for damages is, however, that the actor from which damages are claimed is at least partially responsible for the incident that caused the damage.
These division of liabilities principles are often clarified, supplemented or modified between these actors if there is a personal data processing agreement or other agreement that regulates the liability for common processing of personal data. So always make sure to have an agreement that is adapted for the personal data processing in your operation and in your collaborations!