Right to compensation and liability

04th October 2019

The Data Protection Commission (DPC) regularly receives queries from individuals about whether they can get compensation if their personal data rights have been infringed. Whilst the DPC has a suite of powers at its disposal to resolve complaints and take action against organisations, it cannot award compensation to affected individuals. This blog will outline briefly what the DPC can do for individuals, and what other options are open to you by going to court.

How the DPC can help you

The DPC has a broad mandate to ensure that organisations processing personal data comply with their obligations under data protection law. In particular, organisations that process personal data must comply with the fundamental principles of data protection, to ensure that they fulfil their obligations under the General Data Protection Regulation (GDPR). These principles include:

  • Lawfulness, fairness, and transparency;
  • Purpose Limitation;
  • Data Minimisation;
  • Accuracy;
  • Storage Limitation;
  • Integrity and Confidentiality; and
  • Accountability.

A list of the Fundamental Principles of GDPR and there explanations can be found here. 

One of the DPC’s key roles is to protect the data protection rights of individuals (known as ‘data subjects’). The GDPR also gives individuals certain specific rights in relation to his or her personal data:

  • The right to access information;
  • The right to be informed;
  • The right to rectification;
  • The right to erasure;
  • The right to data portability;
  • Rights in relation to automated decision making, including profiling;
  • The right to object to processing of personal data; and
  • The right of restriction.

A list of the rights of individuals under the GDPR and their explanations, as well as exceptions can be found here.

The DPC has a number of powers, functions, and duties deriving from the Data Protection Act 2018 and GDPR. To assist data subjects in exercising his or her data protection rights, the DPC can take a number of actions, including:

  • Responding to queries addressed to the DPC and providing information about obligations and rights under data protection law;
  • Receiving and handling complaints from individuals about potential infringements of his or her data protection rights, and seeking that organisations enable the exercise of those rights;
  • Facilitating an amicable resolution to complaints between organisations and data subjects;
  • Where necessary, conducting inquiries or investigations regarding potential infringements of data protection law; and
  • Taking enforcement action where an organisation is in breach of their obligations under data protection law, including:
    • Issuing warnings or reprimands;
    • Ordering compliance with data subject requests;
    • Imposing a temporary or definitive ban on certain processing; or
    • Imposing an administrative fine on the organisation.

However, as mentioned at the outset, the DPC does not have any power to order an organisation to pay compensation to an affected data subject. In the case of administrative fines, any funds collected from these fines go to the state exchequer.

Data Protection Actions

In addition to the powers the DPC has to enforce data subjects’ rights, individuals are also open to take private civil actions against organisations where his or her rights have been infringed – although the DPC does not have any formal role in this process.

Article 82 of the GDPR allows for any person who has suffered material or non-material damage as a result of an infringement of the GDPR, the right to receive compensation from the controller or processor for the damage suffered. Under Section 117 of the Data Protection Act 2018, if an individual believes his or her rights under the GDPR have been infringed as a result of an organisation’s failure to comply with its obligations under the GDPR, they may bring an action against the organisation. This is known as a ‘data protection action’.

A data protection action can be taken before the courts by an individual or by a not-for-profit body, organisation or association on behalf of the individual. Individuals are entitled to both make a complaint to the DPC as well as taking a data protection action against an organisation, as the right to take such an action is ‘without prejudice’ to the other rights or remedies available to individuals.

In a data protection action, the court has the power to grant one or more of the following to an individual where they are successful in his or her action:

  • An injunction or a declaration; or
  • Compensation for damage (including material and non-material damage) suffered as a result of the infringement of data protection law.

Therefore, although the DPC can vindicate individuals’ data protection rights in a number of ways, the only way for individuals to compel financial compensation from an organisation for an infringement of his or her data protection rights is by taking a private data protection action as outlined above.