GDPR Learning Hub

Menu
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates
  • This website is under construction

Article 82 of the GDPR

Damages when a company violates GDPR

Data subjects may be entitled to damages when a company violates the GDPR. The data subject’s right to damages for infringements of the GDPR is regulated in Article 82 of the GDPR. Please note that damages and administrative fines are not the same. This is something that is important for both companies and data subjects to know. 

What is the difference between damages and administrative fines?

Supervisory authorities have the power to impose administrative fines on companies that violate the GDPR. An administrative fine is a form of penalty amount that the company must pay. The maximum amount of the fine that can be imposed on a company in the case of serious infringements is EUR 20 million or up to 4% of the company’s total worldwide annual turnover of the preceding financial year. 

On the other hand, data subjects are not allowed to benefit from the fines paid, as the companies pay these to the state. Instead, the data subject must bring a civil action against the company themselves, in order to claim damages from the company. In most cases, the data subject must have suffered damage in order to be awarded damages. However, it is possible for data subjects to receive damages in the event of a fear that the personal data will be misused in the future.

Can both controllers and processors be liable for damages?

Yes, even though it is the controller who has the ultimate responsibility for the processing of personal data, the processors also have a responsibility for their processing of them. If a processor violates the provisions of the data processing agreement, or does not comply with the rules of the GDPR that are addressed to processors, they may be liable for damages. This is stated in Article 82(2) of the GDPR.

Material or non-material damage for the purpose of claiming compensation

A data subject who has suffered material or non-material damage as a result of a company having violated the GDPR, is entitled to compensation from the company. This is stated in Article 82 of the GDPR. 

Material damage: A data subject may suffer material damage due to a company’s infringement of the GDPR. In short, financial losses constitute material damage. For example: 

  • Data leak that led to identity theft with financial loss, by a data subject being ID hijacked and someone unauthorized has taken out a loan in his or her name.
  • Data breaches leading to other types of unauthorised transactions and fraud,
  • Costs of dealing with identity theft, such as change of identity documents, legal advice, loss of income, credit monitoring service, etc.; 

Non-material damage: In addition to compensation for material damage, a data subject may in some cases also be entitled to compensation for non-material damage. In short, non-material damage is about psychological or emotional impact. For example: 

  • The data breach causes the data subject to feel anxiety, stress, discomfort or worry. 
  • The data subject feels powerless and violated, due to the intrusion into his or her privacy. 
  • A data breach concerning sensitive personal data could lead to the data subject being afraid that the sensitive personal data will be disseminated or processed by unauthorised persons.

When can a data subject be entitled to compensation from a company?

In order for a data subject to be entitled to compensation from a company for breaches of the GDPR, three criteria must be met: 

1. Infringement of GDPR

The company must have breached the provisions of the GDPR and thus processed the data subject's personal data in violation of the GDPR.

2. Damage

The data subject must have suffered damage for which he or she seeks compensation from the company. The damage may be material or non-material.

3. Causal link

There must be a clear link (causality) between the damage suffered by the data subject and the company's infringement of the GDPR.

If the company can prove that it is in no way responsible for the event that caused the damage, the company shall escape liability and not pay damages to the data subject. This follows from Article 82(3) of the GDPR. 

Damages for fears of future misuse of personal data

It is possible for data subjects to obtain damages for their  fear of future misuse of personal data. This was established by the Court of Justice following a reference for a preliminary ruling by the Bulgarian Supreme Administrative Court. In other words, it may constitute non-material damage if there are well-founded reasons for the personal data that, for example, have leaked or become unauthorised in some other way, to be misused in the future. 

Learn more

The supervisory authority can issue a reprimand to a company that violates the GDPR

If a company violates the GDPR, this does not necessarily mean that the company has to pay an administrative fine. It is possible for the company to instead receive a more lenient sanction, such as reprimand (correction) in the case of less serious infringements. There are several factors that play a role in the penalty that a violation leads to. Among other things, what the company has done to limit the damage, the size of the company, the number of data subjects affected, what measures the company has taken to prevent it from happening again, etc.

Want to learn more?

Read more
Scroll to Top