Can I get compensation for a GDPR Data Breach?

What is a data breach?

A data breach occurs when an unauthorized person gains access to your personal information. This could be by hacking into a system that stores your personal information, for example hacking into a database or computer system. Or it could be by unlawful access – where a person uses their access to a system to view your information without a lawful basis. For example in the UK’s national health service many administrative staff will have access to systems that contain personal information, but this does not mean that they can access records at will, just because they are interested or curious about an individual’s health records. Accessing personal data without a lawful reason could be considered a data breach.

Does GDPR say I can get compensation?

Yes GDPR says that you can get compensation for a data breach. Article 82 of GDPR states that:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

For companies that breach the GDPR this means they can be liable for a financial penalty paid to the Supervisory Authority and individual compensation for claims brought by individuals directly or through the courts.

What is the process for getting compensation?

Generally it begins by working with a lawyer and going to court. Your need for legal advice will depend on the nature of the claim.

GDPR does not stipulate that you must go to court in order to claim compensation. You may go direct and find that the organisation agrees to pay you direct – in order for them to avoid further legal costs.

However if this fails then your next option would be via court. There are legal costs involved in starting a claim like this and they vary wildly between countries with GDPR style regulation. For example a legal complaint in Austria can be launched for around 30 euros, meanwhile in Ireland starting court proceedings can set you back at least 2,000 euros.

In some cases you have the option of joining a “class action”. This is where a group of parties brings a case against a company. So for example, if your data was leaked by a large social media company, you could join with other people affected (potentially in the millions) and lodge your court case for compensation. In practice this would likely be organised by some law firms and privacy rights groups.

How much compensation can I get for a data breach under GDPR?

The value of compensation will be up to the judge that is hearing the case. They will evaluate the circumstances and will factor in how serious the infringement of your data privacy was and the impact that it had on you.

The court can also award you costs, for example the fees that you had to pay to bring the case to court. It can also rule against you, asking you to cover the legal fees of the company you are claiming against. 

It would be wise to seek legal advice first to consider the risks of launching a claim.

Data breach compensation ranges

These ranges are based on previous cases brought under GDPR and other data privacy laws. They are for example purposes only, actual awarded compensation can vary dramatically.

Minor breach. Only personal data such as your name, date of birth, address was unlawfully accessed.
Expected: Up to £2000.

Medical information breach. Information relating to your personal health is unlawfully accessed.
Expected: £2,000 – £7,000

Financial information breach. Information relating to your personal financial records is unlawfully accessed.
Expected: £2,200 – £9,000

Physical or emotional harm. Personal data relating to you is unlawfully accessed which results in physical or emotional harm which you can evidence in court.
Expected: £20,000 – £72,000


⚠️ Try our free GDPR course. Section 1 and Section 2 available now, sign up and start learning immediately.