Claiming damages for violations of the GDPR
Data subjects are entitled to damages if a controller or processor of personal data violates the EU General Data Protection Regulation and the violation causes material or immaterial damage to the data subject.
File your claim directly with the controller or processor of personal data that committed the violation. If the controller rejects your claim, you can sue them in the district courts. Claims for damages related to personal data breaches or other crimes can be resolved in connection with the criminal trial.
Claiming damages from a controller or processor of personal data
Compensation for material or immaterial damage should primarily be claimed directly from the controller or processor of personal data that violated the GDPR.
Material damage refers to financial losses, such as costs and loss of income incurred from the treatment of injuries. It can include costs incurred from the onset or worsening of mental illness, for example. Immaterial damage refers to the pain, suffering and handicap caused by personal injuries, or the anguish caused by a violation of the victim's rights.
If the controller or processor of personal data refuses to pay the damages claimed, you can sue them in the courts by virtue of the GDPR.
More information on the right to compensation: Article 82 of the GDPR (EUR-Lex)
More information on damages eligible for compensation: Chapter 5, sections 2 and 6 of the Tort Liability Act (Finlex)
The data subject is the person to whom the personal data relates. Personal data, on the other hand, refers to information that you can be identified from. Personal data includes, for example, your personal identity code and medical records.
The controller is a person or organisation that determines the purposes and means of processing personal data. Some examples of controllers include an association that collects data on its members, a hospital that processes patient records, an online shop or a social media service.
The processor of personal data is a person or organisation that processes personal data on behalf of the controller. Examples of processors include a marketing agency handling the marketing of another company, or an IT service provider with access to the personal data stored by the controller. The controller’s employees who process personal data as part of their duties are not processors in this sense.
The Office of the Data Protection Ombudsman does not process claims for damages filed against a controller or processor. The Data Protection Ombudsman does not serve as an attorney and cannot claim damages on your behalf.
The task of the Office of the Data Protection Ombudsman is to investigate whether the processor or controller has acted in violation of the GDPR. If necessary, the Office of the Data Protection Ombudsman can exercise corrective powers, such as impose administrative fines. Possible administrative fines are payable to the state, and factors such as the measures taken by the controller to mitigate the damage to data subjects can be taken into account when determining their amount.
Claiming damages for an offence
The claim for damages incurred from a personal data breach, dissemination of information violating personal privacy, a data protection offence, or other crimes can be made in connection with the criminal trial. In the pre-trial investigation, the police will ask the injured parties, i.e. those who reported the offence, whether they have claims against those suspected of the offence. Such claims can be decided in court in connection with the criminal trial.