Skip to main content

GDPR Enforcement Risks: Consumers Claiming Compensation

| Categories: Enforcement;

Enforcement Risks

Non-compliance with the EU General Data Protection Regulation (GDPR) may lead to severe liability risks for companies inside and outside the European Union, stemming from claims by consumers, claims by competitors or business partners such as service providers and business customers, and from enforcement by supervisory authorities. In this article, we put a spotlight on liability towards consumers.

Are consumers entitled to compensation in case of violations of the GDPR?

Under Art. 82 GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation from the data controller or data processor.

These claims can be brought forward by individuals whose personal information (e.g. name, contact details including e-mail address, payment information, IP address, device fingerprints, and location or other behavioral data) your company collects, retains, use or otherwise processes within the scope of the GDPR.

Who is entitled to claims under Art. 82 GDPR?

Violations of the GDPR that may lead to claims for compensation may include, amongst others:

Any person whose personal information is affected by such case of non-compliance may be entitled to damages. If, for example, a privacy notice of a web service does not meet the legal requirements, this may be any user of the service. A company is not liable if it proves that it is in no way responsible for the violation of the GDPR, neither intentionally nor negligently.

Art. 82 GDPR usually concerns data collected in B2C settings. It may also include individuals whose data were gathered in B2B settings (e.g. content of e-mails from an employee of one of your business customers), however, their employer as a legal entity is not entitled to claims under Art. 82 GDPR. The respective employee may file a legal action on his or her own behalf.

What kind of damages may be claimed? How to calculate compensation?

Firstly, the consumer being affected by the GDPR infringement may claim material damages. This may, for example, include situations where, for example, a hacker attack leads to unauthorized disclosure of user data to the public, the data controller failed to implement appropriate measures for data security, and the user becomes a victim of an identity theft or other fraud that leads to financial damages.

Secondly, also non-material damages may be subject to claims for compensation. If, for example, in the scenario described in the paragraph above, the hacker attack leads to the unauthorized revelation of information such as private communications including compromising details on his or her private life, the user may claim compensation also for his or her reputational damage.

The precise scope and factors to calculate such non-material damages are subject to disputes in various legal actions. In particular, it is unclear whether financial compensation must be paid only in case the individual has suffered severe (non-financial) disadvantages, or whether the mere violation of GDPR obligations is sufficient to trigger a financial compensation.

Recently, a higher regional court in Austria ruled the practice of a leading Austrian direct marketing service provider unlawful (Landesgericht Feldkirch, judgement of August 7, 2019, case no. 57 Cg 30/19b – 15). The company had sold postal address data that has been attributed to target groups to political parties without the residents’ consent. The court granted compensation in the amount of 800 EUR to the plaintiff – who was only one out of potentially 2.2 million consumers that were affected and are potentially entitled.

Due to an appeal, this judgement is not yet legally binding. As a consequence of the judiciary system in the EU, it sometimes takes years until landmark cases arrive at the European Court of Justice, which is the highest authority when it comes to interpreting EU laws. Therefore, patience is required to get the full picture, as often with regard the relatively new GDPR, .

Who is responsible in case service providers are involved?

The data controller in the sense of Art. 4(7) GDPR (i.e. the legal entity which, alone or jointly with others, determines the purposes and means of the data processing in question) is liable for any damage caused by processing which infringes the GDPR.

A data processor in the sense of Art. 4(8) GDPR (i.e. the legal entity which handles personal data on behalf of others) will be liable only if it violated the data controller’s instructions, or if it infringes a GDPR obligation that is directly addressed to data processors. For example, data processors must ensure a technical environment that meets the GDPR requirements for data security.

On the contrary, if a data controller unlawfully collects personal information on consumers and uses a cloud or SaaS service to manage these data, the cloud service provider is generally not liable for GDPR infringements of its customer. However, for some companies, regulations of the EU e-Commerce may apply and force them to take down illegal third-party content upon notice.

How severe is the risk in practice?

There are no reliable statistics on how many claims have been raised throughout the EU. According to our practical experience, the number of claims being brought to court remains on a low level. For the moment, consumer protection agencies are the major drivers, bringing test cases to the courts. If the European Court of Justice gives clear and consumer-friendly precedence, this may encourage legal tech startups to seek for financial benefit from accumulating claims and initiating class actions, for example in case of major data breaches that affect high numbers of consumers.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

International Applicability

International Applicability of the EU GDPR

The EU General Data Protection Regulation (GDPR), a major privacy law introduced by the European Union in May 2018, not only shook up the business of data-driven digital service providers but keeps affecting companies of any size and any industry all over the world. Many executives, IT managers and...

Continue reading

Brexit: Implications on Privacy Compliance

Almost four years after the citizens of the United Kingdom have voted in favor of leaving the European Union in a referendum, Brexit is finally approaching on 31 January 2020. Since the General Data Protection Regulation (GDPR) is part of the EU legal framework which will, in principle, cease to...

Continue reading
Access requests

Access Requests under the GDPR

So-called "data subjects", including consumers and employees of B2B business partners, have several rights under the EU Data Protection Regulation (GDPR). In practice, one of the most relevant of these is the right to access under Art. 15 GDPR. It entitles natural persons in the EU to request...

Continue reading