Security Breach Did Not Entitle Citizens to Compensation Under the General Data Protection Regulation
Gladsaxe had prepared a spreadsheet containing personal data on approximately 20,000 citizens. One of the municipality’s employees saved the spreadsheet on a laptop computer, which - together with three other laptops, clothing, and a bag of empty bottles - was subsequently stolen from the town hall. The municipality reported the theft to the Danish Data Protection Agency (Datatilsynet) as it constituted a breach of personal data security, and the affected citizens were informed accordingly.
At the Supreme Court (Højesteret), the case concerned whether four of the affected citizens were entitled to compensation under Article 82 of the General Data Protection Regulation (GDPR), and whether the alleged damage resulted from the municipality’s processing of personal data in the spreadsheet or from the security breach caused by the theft of the computer.
The individuals’ claims of negative emotions were not sufficient
At the outset, the Supreme Court, referring to the case law of the Court of Justice of the European Union (CJEU), held that any person claiming compensation under Article 82 must establish that a violation of the GDPR has occurred and that such violation has caused material or non-material damage. More specifically, the Court stated that non-material damage may include negative emotions, such as fear or discomfort, experienced by the affected person as a result of the disclosure of their personal data.
During the trial, the affected citizens testified that the security breach had caused them fear and other negative emotions, including nervousness and shock.
The Supreme Court found that there was no information indicating that the spreadsheet had come into the possession of any unauthorized third party, or that the personal data had been misused in any other way. The Court further held that the negative emotions described by the individuals were not justified, given the nature of the spreadsheet and the circumstances surrounding the theft. Apart from their own statements, no evidence had been produced to substantiate that they had suffered damage in the form of negative feelings or any related consequences.
On this basis, the Supreme Court concluded that the individuals were not entitled to compensation under the GDPR.
Littler’s Comment
The judgment emphasizes that a violation of the GDPR does not automatically entitle the affected individuals to compensation. Compensation under Article 82 of the GDPR requires that the violation has caused either material or non-material damage.
The judgment further clarifies that when non-material damage in the form of negative emotions, including fear, is invoked, the individual’s own testimony must be supported by additional evidence demonstrating that the violation has caused such emotions. A person’s own statement referring to negative feelings is therefore not sufficient to trigger compensation.
Enquiries and questions regarding the article can be directed to Attorney and Director Marietta Bak Seemholt at
Disclaimer: This article does not and cannot replace legal advice.
