Claiming damages for violations of the GDPR

Data subjects are entitled to damages if a controller or processor of personal data violates the EU General Data Protection Regulation and the violation causes material or immaterial damage to the data subject.

File your claim directly with the controller or processor of personal data that committed the violation. If the controller rejects your claim, you can sue them in the district courts. Claims for damages related to personal data breaches or other crimes can be resolved in connection with the criminal trial.

Claiming damages from a controller or processor of personal data

Compensation for material or immaterial damage should primarily be claimed directly from the controller or processor of personal data that violated the GDPR.

Material damage refers to financial losses, such as costs and loss of income incurred from the treatment of injuries. It can include costs incurred from the onset or worsening of mental illness, for example. Immaterial damage refers to the pain, suffering and handicap caused by personal injuries, or the anguish caused by a violation of the victim's rights.

If the controller or processor of personal data refuses to pay the damages claimed, you can sue them in the courts by virtue of the GDPR.

More information on the right to compensation: Article 82 of the GDPR (EUR-Lex)

More information on damages eligible for compensation: Chapter 5, sections 2 and 6 of the Tort Liability Act (Finlex)

 

The Office of the Data Protection Ombudsman does not process claims for damages filed against a controller or processor. The Data Protection Ombudsman does not serve as an attorney and cannot claim damages on your behalf.

The task of the Office of the Data Protection Ombudsman is to investigate whether the processor or controller has acted in violation of the GDPR. If necessary, the Office of the Data Protection Ombudsman can exercise corrective powers, such as impose administrative fines. Possible administrative fines are payable to the state, and factors such as the measures taken by the controller to mitigate the damage to data subjects can be taken into account when determining their amount.

Claiming damages for an offence

The claim for damages incurred from a personal data breach, dissemination of information violating personal privacy, a data protection offence, or other crimes can be made in connection with the criminal trial. In the pre-trial investigation, the police will ask the injured parties, i.e. those who reported the offence, whether they have claims against those suspected of the offence. Such claims can be decided in court in connection with the criminal trial.