Skip to main content

GDPR Enforcement: Consumers Claiming Compensation

| Categories: Enforcement;

Enforcement Risks

Non-compliance with the EU General Data Protection Regulation (GDPR) may lead to severe liability risks for companies inside and outside the European Union, stemming from claims by consumers, claims by competitors or business partners such as service providers and business customers, and from enforcement by supervisory authorities. In this article, we put a spotlight on liability towards consumers.

Are consumers entitled to compensation in case of violations of the GDPR?

Under Art. 82 GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation from the data controller or data processor.

These claims can be brought forward by individuals whose personal information (e.g. name, contact details including e-mail address, payment information, IP address, device fingerprints, and location or other behavioral data) your company collects, retains, use or otherwise processes within the scope of the GDPR.

Who is entitled to claims under Art. 82 GDPR?

Violations of the GDPR that may lead to claims for compensation may include, amongst others:

Any person whose personal information is affected by such case of non-compliance may be entitled to damages. If, for example, a privacy notice of a web service does not meet the legal requirements, this may be any user of the service. A company is not liable if it proves that it is in no way responsible for the violation of the GDPR, neither intentionally nor negligently.

Art. 82 GDPR usually concerns data collected in B2C settings. It may also include individuals whose data were gathered in B2B settings (e.g. content of e-mails from an employee of one of your business customers), however, their employer as a legal entity is not entitled to claims under Art. 82 GDPR. The respective employee may file a legal action on his or her own behalf.

What kind of damages may be claimed? How to calculate compensation?

Firstly, the consumer being affected by the GDPR infringement may claim material damages. This may, for example, include situations where, for example, a hacker attack leads to unauthorized disclosure of user data to the public, the data controller failed to implement appropriate measures for data security, and the user becomes a victim of an identity theft or other fraud that leads to financial damages.

Secondly, also non-material damages may be subject to claims for compensation. If, for example, in the scenario described in the paragraph above, the hacker attack leads to the unauthorized revelation of information such as private communications including compromising details on his or her private life, the user may claim compensation also for his or her reputational damage.

The precise scope and factors to calculate such non-material damages are subject to disputes in various legal actions. In particular, it is unclear whether financial compensation must be paid only in case the individual has suffered severe (non-financial) disadvantages, or whether the mere violation of GDPR obligations is sufficient to trigger a financial compensation.

Recently, a higher regional court in Austria ruled the practice of a leading Austrian direct marketing service provider unlawful (Landesgericht Feldkirch, judgement of August 7, 2019, case no. 57 Cg 30/19b – 15). The company had sold postal address data that has been attributed to target groups to political parties without the residents’ consent. The court granted compensation in the amount of 800 EUR to the plaintiff – who was only one out of potentially 2.2 million consumers that were affected and are potentially entitled.

Due to an appeal, this judgement is not yet legally binding. As a consequence of the judiciary system in the EU, it sometimes takes years until landmark cases arrive at the European Court of Justice, which is the highest authority when it comes to interpreting EU laws. Therefore, patience is required to get the full picture, as often with regard the relatively new GDPR, .

Who is responsible in case service providers are involved?

The data controller in the sense of Art. 4(7) GDPR (i.e. the legal entity which, alone or jointly with others, determines the purposes and means of the data processing in question) is liable for any damage caused by processing which infringes the GDPR.

A data processor in the sense of Art. 4(8) GDPR (i.e. the legal entity which handles personal data on behalf of others) will be liable only if it violated the data controller’s instructions, or if it infringes a GDPR obligation that is directly addressed to data processors. For example, data processors must ensure a technical environment that meets the GDPR requirements for data security.

On the contrary, if a data controller unlawfully collects personal information on consumers and uses a cloud or SaaS service to manage these data, the cloud service provider is generally not liable for GDPR infringements of its customer. However, for some companies, regulations of the EU e-Commerce may apply and force them to take down illegal third-party content upon notice.

How severe is the risk in practice?

There are no reliable statistics on how many claims have been raised throughout the EU. According to our practical experience, the number of claims being brought to court remains on a low level. For the moment, consumer protection agencies are the major drivers, bringing test cases to the courts. If the European Court of Justice gives clear and consumer-friendly precedence, this may encourage legal tech startups to seek for financial benefit from accumulating claims and initiating class actions, for example in case of major data breaches that affect high numbers of consumers.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy...

Read

Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...

Read

GDPR Enforcement: The Real Risks of Non-Compliance

Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of...

Read