Can you sue for a GDPR data protection breach?

data breach

Can you seek an award for damages of your personal data has been exposed to a breach of regulation? The short answer is yes. Data privacy laws in the European union are rigid and are there to protect you as a consumer or employee. Data protection laws in Ireland and the rest of the EU are known as GDPR; under Article 82 of these new laws, if you’ve suffered material or non-material damage as the result of a data privacy breach, then you have the right to seek compensation. The individual has the right to bring a claim to court.

Firstly, it would be helpful to have a little understanding of the principles of GDPR, and what are your rights. General Data Protection Rules (GDPR) came into direct law in Ireland on the 25th of May 2018. The rules are a reformation of the data protection act 1988 and 2003. It affects companies and individuals who record, process and hold your personal information.

What are the GDPR principles (protection of your private data)?

  • Companies must process your data transparently, fairly and lawfully.
  • Only collect your personal data for a specified and legitimates reason.
  • They should only collect data that is relevant to that purpose. An example would be a service collecting and storing your phone number when they never would have a legitimate reason to call you.
  • Data that is not accurate or ‘out of date’ should not be stored.
  • Data should be stored in a way that it’s easily identifiable to its purpose  e.g email address stored on a marketing list for a newsletter, and this email address should not be kept for longer that is necessary.
  • Security; a company needs to protect your data from the risk of a human, hacker or a technical leak.
  • Companies must be able to demonstrate that they are complying with the principles.
  • And, companies must respond to you if you make a request to them under GDPR rights, e.g requesting a copy of the information that they hold on you (Access request).

If companies are not abiding by these rules, they could become vulnerable to a breach of GDPR, and in turn, this could increase your risk of being affected by a data breach. But, apart from enforcing these principles, companies and organisations have obligations to individuals, these are your rights under GDPR,  Let’s have a look at your rights here:

  • Data Access: If you are an EU citizen, you can contact any organisation/body and ask for a copy of all the data they hold on you whether it’s CCTV footage, written or digitally held records of your personal information. What to do: send a request to the organisation/body that you want your data from, send as many details as possible, this could be photo ID, name and copy or email address. The company should respond to your request (known as a subject request) within one month.
  • To be informed: Transparency is an important requirement of GDPR, you have the right to be informed of the collection of your personal data. When you’re browsing a company’s website you should find information on how data is collected in their Privacy Policy.
  • Rectification: If you feel that your personal information help about you is wrong or inaccurate, you have the right to ask for that information to be corrected.
  • Erasure: This is also known as ‘the right to be forgotten’ you can ask a company to ease data held on you, the company only has to oblige in certain circumstances. This request is common where data is held about children, especially in an online environment.
  • Restrict processing: Processing data refers to operation performed on data, such as recording, modifying, collecting or publishing the information. You have the right to ask an organisation to stop using your data, but the data can still be stored.
  • Data portability: Companies need to store your data in a format that is portable, so if you request your data, it is easily transferred to you or to another. This applies commonly in e commerce, for example requesting from an online retailer a copy of your purchase history.
  • The right to object: You have the right to object to a company continuing to process your personal data, an example of this is if you request to be removed from a mailing list.
  • Automated processing: This is the processing of data without human involvement, this data might be used for decision making and profiling. An example of profiling individuals data is analysing your shopping behaviour, then comparing your data with other shoppers to create ‘personalities’; this information helps companies make predictions on other products that you would like. Automated processing can be unlawful if you haven’t given content, unless the processing is necessary for public interest reasons.

The biggest automated processing breach of recent times was the Facebook Cambridge Analytica Scandal where the data on millions of Facebook profiles was harvested without people’s consent.

All companies that process personal data should have a data protection policy, this is a document stating the companies GDPR compliance procedures and principles. You should be able to access a company’s data protection policy. If you’ve reason to believe that your personal data has been breached, maybe you have received a data breach notification from a company. You should make a complaint to the office of the data protection commissioner.

Data breaches are incredibility common; and breaches, of some sort, are occurring nearly every day. When a data breach is serious and the individuals are entitled to redress, this could lead into millions of euros in payouts. At the moment there are law cases ongoing involving Ticketmaster, British Airways, Marriott Hotels and Facebook who could have to pay large payouts to consumers, as well as pay significant GDPR fines.

Compensation

If your personal data has been exposed due to a breach of the rules, you have the right to seek compensation from the controller or processor of the data. The data involved in most breach compensation claims is usually personal information, that identifies the individual e.g PPS numbers, or financial information such as your bank PIN (data that is not normally public information). But it is possible, that even without damage suffered, you could be entitled to compensation if any of your rights — outlined above — have been violated, at the very least the company or organisation involved could be subjected to a fine.

“In contentious business, a solicitor may not calculate fees or other charges as a percentage or proportion of any award or settlement”.

If you have been affected by a Data Breach and would like more information, then fill out the form below, and we will get back to you!