You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.
You place an order on a website. The site suffers a cyber-attack because it doesn’t have adequate security. Your credit card details have been put on another website and used to buy items you never ordered. You can claim compensation from the website for the financial damage as they have breached the data protection law by not providing adequate security when processing data.
- Article 82 and Recitals (146) and (147) of the GDPR