01202 525333
Make An Enquiry
Abigail Sinden
Abigail Sinden
22 May 2019

Compensation under the GDPR

Business Services

We have received quite a few queries recently regarding claiming compensation for data protection breaches under the General Data Protection Regulations (GDPR). Therefore, I thought it would be useful to clarify a few myths and misunderstandings.

Can I claim compensation for a data protection breach?

Yes, under Article 82 of the GDPR. “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” However, Article 82 (6) states that “court proceedings for exercising the right to receive compensation shall be brought before the courts competent under law of the member state ….

Therefore, any claims for compensation under the GDPR must be brought in a court and not with the Information Commissioner’s Office (ICO). Whilst the ICO is the UK’s independent authority which governs the use of personal data, the ICO does not award damages for compensation, it is the organisation which fines organisations which are in breach of the GDPR.

How much compensation can I claim?

There are currently no guidelines on how much compensation can be awarded for a claim under the GDPR. This is because the GDPR has only been in force for just over a year and therefore there is a lack of case law presently. Under the old Data Protection Act 1998, typical compensation awards were around £750 to £1,000.

It is important to note that claims for compensation and the fines which the ICO can impose on an organisation are two very different things.

The ICO has the power to investigate a data protection breach and if that organisation has failed to comply with the GDPR the ICO can issue a monetary penalty. There are two tiers of penalty with the higher penalty being €20m (or equivalent in Sterling) or 4% of the total annual worldwide turnover in the preceding financial year of the organisation, whichever is higher.

The penalties issued by the ICO should not be confused with the amount of compensation which an individual is able to claim.

Will I have to pay my own costs?

As mentioned above claims for compensation for breach of the GDPR must be brought in a court. However, it is likely that your claim will be for less than £10,000 and therefore you will be responsible for your own costs and legal fees. Even if your claim for compensation is successful, you will not be able to reclaim these costs back from the organisation in breach. This is because claims for less than £10,000 are brought in the Small Claims Court, where each party is responsible for their own costs. This should be considered prior to making a claim.

Can the ICO assist me with my compensation claim?

While the ICO does not award compensation, it can assess an organisation to see if it has breached its obligations under the GDPR. The results of the ICO assessment could potentially assist you with your compensation claim.

We recommend visiting the ICO’s website which contains a plethora of information about data protection and the GDPR. If you feel that an organisation has misused your personal data, we would always advise that you contact the ICO in the first instance as they can advise you on the next steps to take prior to seeking legal advice.

I hope the above has been helpful in order to clarify the compensation position. However, should you have any queries about the GDPR please do not hesitate to get in touch. Please call 01202 525333 or email at abi.sinden@ellisjones.co.uk

Print Back to Blog
Abigail Sinden
Abigail Sinden