GDPR Enforcement: Consumers Claiming Compensation

  • Author: Niklas Drexler
  • Last updated: 03.07.2023
  • Category: Enforcement

Non-compliance with the EU General Data Protection Regulation (GDPR) may lead to severe liability risks for companies inside and outside the European Union, stemming from claims by consumers, claims by competitors or business partners such as service providers and business customers, and from enforcement by supervisory authorities. In this article, we put a spotlight on liability towards consumers.

Are consumers entitled to compensation in case of violations of the GDPR?

Under Art. 82 GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation from the data controller or data processor.

These claims can be brought forward by individuals whose personal information (e.g. name, contact details including e-mail address, payment information, IP address, device fingerprints, and location or other behavioral data) your company collects, retains, use or otherwise processes within the scope of the GDPR.

Who is entitled to claims under Art. 82 GDPR?

Violations of the GDPR that may lead to claims for compensation may include, amongst others:

  • Processing of personal information without a legal basis under Art. 6 and/or 9 GDPR, such as consent, legitimate interests, or necessity for the performance of a contract
  • Failing to comply with the rights of data subjects under Art. 15-22 GDPR, such as the “right to be forgotten” under Art. 17 GDPR
  • Non-provision of or insufficient privacy statements under Art. 13-14 GDPR
  • Data breaches due to insufficient technical and organizational measures for data security under Art. 32 GDPR

Any person whose personal information is affected by such case of non-compliance may be entitled to damages. If, for example, a privacy notice of a web service does not meet the legal requirements, this may be any user of the service. A company is not liable if it proves that it is in no way responsible for the violation of the GDPR, neither intentionally nor negligently.

Art. 82 GDPR usually concerns data collected in B2C settings. It may also include individuals whose data were gathered in B2B settings (e.g. content of e-mails from an employee of one of your business customers), however, their employer as a legal entity is not entitled to claims under Art. 82 GDPR. The respective employee may file a legal action on his or her own behalf.

What kind of damages may be claimed? How to calculate compensation?

Firstly, the consumer being affected by the GDPR infringement may claim material damages. This may, for example, include situations where, for example, a hacker attack leads to unauthorized disclosure of user data to the public, the data controller failed to implement appropriate measures for data security, and the user becomes a victim of an identity theft or other fraud that leads to financial damages.

Secondly, also non-material damages may be subject to claims for compensation. If, for example, in the scenario described in the paragraph above, the hacker attack leads to the unauthorized revelation of information such as private communications including compromising details on his or her private life, the user may claim compensation also for his or her reputational damage.

The precise scope and factors to calculate such non-material damages are subject to disputes in various legal actions. In particular, it is unclear whether financial compensation must be paid only in case the individual has suffered severe (non-financial) disadvantages, or whether the mere violation of GDPR obligations is sufficient to trigger a financial compensation.

Recently, a higher regional court in Austria ruled the practice of a leading Austrian direct marketing service provider unlawful (Landesgericht Feldkirch, judgement of August 7, 2019, case no. 57 Cg 30/19b – 15). The company had sold postal address data that has been attributed to target groups to political parties without the residents’ consent. The court granted compensation in the amount of 800 EUR to the plaintiff – who was only one out of potentially 2.2 million consumers that were affected and are potentially entitled.

Due to an appeal, this judgement is not yet legally binding. As a consequence of the judiciary system in the EU, it sometimes takes years until landmark cases arrive at the European Court of Justice, which is the highest authority when it comes to interpreting EU laws. Therefore, patience is required to get the full picture, as often with regard the relatively new GDPR, .

Who is responsible in case service providers are involved?

The data controller in the sense of Art. 4(7) GDPR (i.e. the legal entity which, alone or jointly with others, determines the purposes and means of the data processing in question) is liable for any damage caused by processing which infringes the GDPR.

A data processor in the sense of Art. 4(8) GDPR (i.e. the legal entity which handles personal data on behalf of others) will be liable only if it violated the data controller’s instructions, or if it infringes a GDPR obligation that is directly addressed to data processors. For example, data processors must ensure a technical environment that meets the GDPR requirements for data security.

On the contrary, if a data controller unlawfully collects personal information on consumers and uses a cloud or SaaS service to manage these data, the cloud service provider is generally not liable for GDPR infringements of its customer. However, for some companies, regulations of the EU e-Commerce may apply and force them to take down illegal third-party content upon notice.

How severe is the risk in practice?

There are no reliable statistics on how many claims have been raised throughout the EU. According to our practical experience, the number of claims being brought to court remains on a low level. For the moment, consumer protection agencies are the major drivers, bringing test cases to the courts. If the European Court of Justice gives clear and consumer-friendly precedence, this may encourage legal tech startups to seek for financial benefit from accumulating claims and initiating class actions, for example in case of major data breaches that affect high numbers of consumers.

Judge with gavel on table. attorney, court judge,tribunal and justice concept.
© tanasin / stock.adobe.com | #249093605

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group essential
Name Matomo
Technical name
Provider
Expire in days 72
Privacy policy
Use Use without cookies
Allowed
Group external media
Name Calendly
Technical name __cf_bm,__cfruid,OptanonConsent
Provider Calendly LLC
Expire in days 365
Privacy policy
Use To arrange appointments via the provider Calendly
Allowed
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name Contao HTTPS CSRF Token
Technical name csrf_https_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name PHP SESSION ID
Technical name PHPSESSID
Provider Contao
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed