Anyone had any success or have any advice for GDPR claims

snewbs

Hi All,

First time poster, long time lurker here looking for some advice. I have had at least two instances of data breach in the last 12 months which I have contacted organisations to reclaim compensation under GDPR.   One was where a CV was forwarded on (and I was offered an interview) which I explicity asked the agency not to forward the CV in writing.  The other was more recent under an energy company data breach.  I recognise there will be mixed views on whether you should reclaim however I didn't really want to get in that - its the principle I am looking for here.  The law is there to protect others and whilst I recognise mistakes can be made, data can be breached its up to the organisation to ensure there are safeguards in place to stop this.  In the case of the energy company, they were also holding data that was no longer relevant (and therefore should be deleted). 

So - in summary, I've contacted both and both have flatly refused to provide any level of compensation.  To me, it doesn't appear you can do anything about it unless you persue a small claims court.  Which leads me to the question (if this is correct) - whats the point of having the GDPR act if its so difficult to claim against it?  Constructive responses would be most appreciated!

[Deleted User]

You don't make GDPR claims, so there is nothing to claim against.

GDPR are regulations which now form part of the 2018 DPA.  If you feel a company has breached it, you can report it to the ICO and they will take any appropriate enforcement, but its not a cash back claim scheme for customers.

If you have any specific losses caused by the breach, you can ask the company to compensate you for that specific loss.

BooJewels

We looked into this a while ago and I thought you had to be able to demonstrate you'd suffered damage as a result of the breach - being miffed about it doesn't really count as qualifying damage.  In our case, there was apparent damage (both inconvenience and financial loss), but it turns out, once we got the result of the SAR, we'd only been told there was damage by an intermediate party, who simply lied about it for their own ends.  The organisation we thought were in the wrong, weren't actually - they'd done nothing wrong at all. 

If the practices of the company concerned are not abiding by GDPR regulations, you can report them to ICO for investigation.

snewbs

Deleted_User said:

You don't make GDPR claims, so there is nothing to claim against.

GDPR are regulations which now form part of the 2018 DPA.  If you feel a company has breached it, you can report it to the ICO and they will take any appropriate enforcement, but its not a cash back claim scheme for customers.

If you have any specific losses caused by the breach, you can ask the company to compensate you for that specific loss.

Thanks for the prompt response and this maybe in the wrong forum (sorry!). 

When I went to the ICO, they pointed me to the article 82 of GDPR (can't post a link!) which doesn't suggest you need to have a specific loss to compensate for a breach.  Material or non material damages is mentioned and Recital 85 lists the following as a scenario of potential cases of damages:

• loss of control over [data subject’s] personal data,

[Deleted User]

But in practice, a company error that results in no loss doesn't result in cash payouts.  It's purely theoretical.  If you look at enforcement activity for recent DPA breaches, it's a world away from the scenarios you're describing.

The_squirrell

Agree with everything that has been said above, and as you say errors can be made. In the example you quote for the energy company. If there are no legitimate or regulatory reasons for the data to be held, then GDPR gives you the right to request that this information is erased. It does not give the absolute right to have it removed, if there is a genuine reason for it being retained. The list of reasons is long and not always obvious. The CV was pure human error and a small error like this will not be reportable to the ICO as a data breach

snewbs

OK - I thought GDPR was a rare exception where damages for emotional distress or non-material damage such as loss of data can be claimed.  Appreciate the input and responses

BooJewels

Do you have legal cover on your home insurance? That might give you access to some free legal advice.  Our process was part of a legal fight we were in, being represented by lawyers assigned through our insurance - so we were being guided by a lawyer.  But I don't know if the GDPR matter would have been covered in isolation, as it was part of a bigger issue.

snewbs

BooJewels said:

Do you have legal cover on your home insurance? That might give you access to some free legal advice.  Our process was part of a legal fight we were in, being represented by lawyers assigned through our insurance - so we were being guided by a lawyer.  But I don't know if the GDPR matter would have been covered in isolation, as it was part of a bigger issue.

I do - but my interest was also in that there is guidance out there to suggest you should be provided with compensation (although responses above suggest not for data being breached / mistakes).  If everytime someone knocks on the door legitately for compensation as a result of data breach, the answer seems to be no.  The issue I have is that that 'data' in most cases will be sold, passwords need to be changed, the more data is breached - the larger the hackers databases, the larger the risk.  The distress may not be immediate - but it will likely occur. It doesn't take long to find hacked data being sold on the internet.

waamo

snewbs said:

OK - I thought GDPR was a rare exception where damages for emotional distress or non-material damage such as loss of data can be claimed.  Appreciate the input and responses

It is but not many people seem to know that. Payouts are minimal at best though. For a minor breach you may, if you are lucky, get about £200 if you went to court. Only you can decide if it is worth the time and effort involved, which would be considerable.

FaceHead

GDRP has been in effect across Europe for some time now, but there have been only a couple of successful claims for non-material damages, and these are in very unique circumstances. On the whole, you need to demonstrate material damage to win a payout. Whilst non-material damages are allowed for in the law, courts just aren't accepting a generic statement of distress caused by a breech  as adequately evidencing damages that can have a financial amount attached.

In practice the ICO can chose to fine companies on the public's behalf, rather than having individuals bringing their own claims. Consider the BA data breech. The £20m fine represents something like £30 per person affected, but those people aren't going to be receiving cheques in the post.