Breach of GDPR- level of compensation?

CFWJOB

I take my online and data privacy seriously and am careful to control this.

I parted company with a bank several years ago then I realised they were still using my email to send me marketing material.  I wrote to say that I was withdrawing permission for all data processing unless it was legally required. The marketing continued so after I'd exhausted the complaints procedure I went to the ICO which upheld my claim. The emails did not stop and then I also found they were sharing my data with third party organisations, who also began to show me targeted adverts.

The bank have finally acknowledged a breach of GDPR and have told me they will no longer process my data.  They have offered a token sum in compensation.  This doesn't seem much given the time and effort it has taken for me to protect my data; over 3 years it's taken over 20 emails, calls, letters to achieve what should be a simple routine GDPR request. Financial compensation is not my only motivation- I will also take this further as the complaints team have  admitted to me in writing that they are not following many of the basic principles of GDPR and data protection.

Does anyone have experience of what would be a reasonable sum to request from them for a consistent and sustained breach?  

Grumpy_chap

CFWJOB said:

I take my online and data privacy seriously and am careful to control this.

I parted company with a bank several years ago then I realised they were still using my email to send me marketing material.  I wrote to say that I was withdrawing permission for all data processing unless it was legally required. The marketing continued so after I'd exhausted the complaints procedure I went to the ICO which upheld my claim. The emails did not stop and then I also found they were sharing my data with third party organisations, who also began to show me targeted adverts.

The bank have finally acknowledged a breach of GDPR and have told me they will no longer process my data.  They have offered a token sum in compensation.  This doesn't seem much given the time and effort it has taken for me to protect my data; over 3 years it's taken over 20 emails, calls, letters to achieve what should be a simple routine GDPR request. Financial compensation is not my only motivation- I will also take this further as the complaints team have  admitted to me in writing that they are not following many of the basic principles of GDPR and data protection.

Does anyone have experience of what would be a reasonable sum to request from them for a consistent and sustained breach?  

What loss have you suffered?
How does that compare to the "token sum in compensation"?

Undervalued

Not very much unless you can show that you have suffered a quantifiable loss.

I am aware that breaches of the GDPR is one of the fairly few areas where compensation can be awarded without a specific loss but it doesn't tend to be very much.

You can of course report the matter to the ICO, which you say you have done. They have statutory powers. They may "slap their wrists" and impose a fine. Or, they may do little or nothing, just like reporting a minor crime to the police. They may or may not investigate, you cannot make them. Plus, they obviously do not have the resources to investigate every allegation in detail.

kirtondm

Unfortunately fines are paid from the bank to the government to encourage firms to apply the principles of GDPR not the individual. 

I am guessing you will not be able to show much actual financial loss so not sure you would get much more than a courtesy payment? You can not normally claim for your time sorting a problem out and the physical cost of then phone calls / letters is minimal.

It would probably have been cheaper for the company to settle with you before the ICO was involved but now they will have to pay any fine anyway.

I

jon81uk

If each of those 20 calls/emails took an hour to sort, at £10 an hour thats £200.

Any sum in that ball park seems reasonable.

What have you been offered?

[Deleted User]

Somewhere around £50-£100 would seem appropriate.

mattyprice4004

jon81uk said:

If each of those 20 calls/emails took an hour to sort, at £10 an hour thats £200.

Any sum in that ball park seems reasonable.

What have you been offered?

Writing an email or taking a phone call takes an hour? 

That must be one bad telephone line or very slow typing hand! 

TELLIT01

mattyprice4004 said:

jon81uk said:

If each of those 20 calls/emails took an hour to sort, at £10 an hour thats £200.

Any sum in that ball park seems reasonable.

What have you been offered?

Writing an email or taking a phone call takes an hour? 

That must be one bad telephone line or very slow typing hand! 

I think the intention was to show how little financial cost has actually been involved.  The post would have been better if it had said "Even if......."

The bank may be fined, but that won't go to the customer.

jon81uk

mattyprice4004 said:

jon81uk said:

If each of those 20 calls/emails took an hour to sort, at £10 an hour thats £200.

Any sum in that ball park seems reasonable.

What have you been offered?

Writing an email or taking a phone call takes an hour? 

That must be one bad telephone line or very slow typing hand! 

It was just a reference point to work out a possible rough maximum sum for compensation.
The phone call yes would probably be less than an hour, but might be on hold or working out what to ask. I expect the OP probably has spent less than 20 hours resolving this, but its a rough estimate.

CFWJOB

Interesting responses!  My initial complaint to the ICO some years back was upheld; the bank agreed that they were at fault and promised to fix things.  But they failed to do this and made no effort to follow basic GDPR protocols. It really shouldn't take 3 years and a huge effort to get a bank to comply with the law!

I've not referred them to the ICO this time.  I have a feeling that if I were to do so then they would be charged something like £750 as an automatic referral fee whatever the outcome. So their offer to me of £200 seems quite low. 

You don't have to show a quantifiable loss in order to claim compensation for a GDPR breach.  You can claim for distress and annoyance as well.  And personally I find it really frustrating that a huge business with a large compliance team can simply ignore the law and disregard its obligations under data protection.

Jenni_D

Breach of GDPR claims (like harassment claims) do not have to show a quantifiable loss. Anecdotal evidence over recent times from the Parking board has shown GDPR compensation payments of between £250 and £750 being awarded by judges.

PS - if you want/have to show time spent on this, your time should be claimed at the Litigant in Person rate of £19 per hour.