Right to compensation

Article 82 GDPR establishes an autonomous, EU-law right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. The claim is directed against the controller or the processor and requires three conditions: an infringement of the Regulation, an actual damage, and a causal link between the infringement and the damage. Unlike the administrative fine under Article 83 GDPR, this right is not punitive but serves to fully compensate the harm suffered; according to the CJEU, punitive damages are precisely not provided for.

Material damage covers quantifiable financial loss, such as the cost of remedying the harm, expenses incurred to prevent identity theft, or lost benefits. Non-material damage covers non-pecuniary harm such as loss of control over one's own data, fear of misuse, reputational harm, or psychological distress. In several leading judgments (including C-300/21 Österreichische Post, C-340/21 and C-687/21), the CJEU clarified that not every mere infringement automatically gives rise to damage, but that there is no de minimis or seriousness threshold: even a justified loss of control or a genuine fear of misuse can already constitute compensable non-material damage.

The burden of proof is tiered: the data subject must demonstrate the infringement, the damage, and the causal link, whereas under Article 82(3) GDPR the controller can only be exempted by proving that it is not in any way responsible for the event giving rise to the damage. Multiple parties are jointly and severally liable (Article 82(4) GDPR) and may seek recourse from one another. For organisations, this means that comprehensive documentation of the technical and organisational measures in place, together with a robust data protection management system, not only serves the accountability principle but, in the event of a liability claim, provides the decisive evidence for exoneration.