GDPR Compensation and GDPR Penalties


The new and strengthened data protection regime of the General Data Protection Regulation (GDPR) will require businesses to adjust their approach to data protection legal compliance. Compliance failures can lead to compensation claims by individuals as well as the levying of much tougher penalties by the ICO.

What rights to compensation under the GDPR do affected persons have and what are the penalties for GDPR infringements?

Compensation under the GDPR

Persons suffering material or non-material damage as a result of a GDPR infringement have a right to receive compensation under Article 82 of the GDPR. The right to compensation will be as against the data controller or the data processor and where a person receives compensation under the GDPR, this will not prevent them from making any other available claims arising from the infringement (for example, a claim for misuse of private information).

GDPR compensation claims can be made for financial loss or for non-financial loss, such as embarrassment or distress. The appropriate procedure for claiming compensation will generally be a letter of claim to the data processor or data controller setting out the facts giving rise to the claim and the level of compensation sought. The data processor will then need to respond, either accepting the claim, rejecting the claim, seeking further information or making a without prejudice offer of settlement. Where a claim cannot be resolved via correspondence, Court proceedings may be necessary.

The correct party to claim against will be the data controller, where it is involved in the processing of personal data in a way that infringes the GDPR. Data processors can be liable to pay GDPR damages, but only where they fail to comply with those parts of the GDPR directed at them specifically, or where they have acted contrary to the lawful instructions of the data controller. However, it will be a good defence to any GDPR compensation claim if a data controller or data processor can show that they were not in any way responsible for the event giving rise to the damage.

Situations may arise where more than one party is involved in the unlawful processing causing the damage. In such cases, persons claiming GDPR compensation will not have to bother with proving which party was in fact responsible and how liability should be apportioned between them. The full amount of compensation will be available from all involved parties.

Penalties under the GDPR

Regulators can impose very large penalties, or administrative fines, under the GDPR where a breach occurs. A fine will not always be the result of a breach – a reprimand may be issued where the infringement is a minor one or where a fine would be disproportionately burdensome. Where regulators do choose to issue monetary penalties, they must ensure that each penalty handed down is:

  • effective;
  • proportionate; and
  • dissuasive.

All of the circumstances of the breach will therefore become relevant in determining the appropriate level of penalty. Article 83(2) of the GDPR lists 11 factors that regulators must taken into account when deciding whether to impose a fine and if so, the amount of the fine:

  • the nature, gravity and duration of the breach whilst taking into account the nature, scope or purpose of the processing as well as the number of data subjects affected and the extent of the damage they have suffered;
  • whether the breach was intentional or negligent;
  • any effort made by the data controller or processor to mitigate the damage suffered by the data subjects;
  • the degree of responsibility on the data controller or processor taking into account the technical and organisational measures used by them;
  • whether there have been any previous infringements;
  • the degree of cooperation with the supervisory authority in order to remedy and mitigate the breach;
  • the category of personal data affected by the infringement;
  • how the breach became known to the supervisory authority;
  • what measures, if any, have previously been ordered against the data controller or processor and the extent to which they have complied with them;
  • adherence with any approved codes of conduct or certification mechanisms; and
  • any other aggravating or mitigating factors such as financial benefits gained or losses avoided either directly or indirectly.

GDPR Penalties – two-tier structure

Articles 83(4) and 83(5) of the GDPR set up a two-tier penalty system. Penalties at the upper end, for more serious infringements, are fines of up to 20,000,000 EUR or 4% of annual turnover in the case of an undertaking (whichever is greater). Penalties at the lower end – for less serious infringements, are still very large, being up to 10,000,000 EUR or 2% of annual turnover in the case of an undertaking (whichever is greater).

The higher tier of penalty applies for more serious breaches, such as the failure to:

  • comply with data protection principles such as lawfulness, fairness, transparency, storage limitation and confidentiality;
  • obtain valid consent;
  • fulfil the requirements relating to processing sensitive personal data;
  • meet obligations in relation to data subjects’ rights such as the right to transparency, the right to access personal data and the right to rectification and erasure;
  • transfer data to a third country in accordance with the rules on data transfer;
  • comply with Member State law adopted to implement the provisions to specific processing situations; or
  • comply with certain supervisory authority orders such as limiting processing or suspending data flows or failure to comply with a data subject’s requests to exercise his or her rights or failure to communicate a data breach to an affected data subject.

The “lower end” fines – those of up to 10,000,000 EUR or 2% of annual turnover (whichever is greater) are reserved for breaches such as failure to:

  • obtain consent on behalf of a child;
  • comply with the provisions applicable to processing which do not require identification;
  • incorporate and implement data protection by design and default principles;
  • apportion risk appropriately in a data-sharing situation;
  • designate a representative where required;
  • comply with the requirements concerning the appointment of data processors;
  • maintain proper data processing records and comply with requests from the supervisory authority;
  • implement proper security measures;
  • notify a supervisory authority and/or affected data subjects of a breach;
  • conduct a data protection impact assessment and address identified risks; or
  • appoint a data protection officer.

South Bank Legal is a Central London law firm with a track record of conducting successful data protection compensation claims and providing sound data protection and GDPR compliance advice. Should you require a confidential discussion about anything you have read here, please do not hesitate to get in touch.